Kerberos auth based on ticket

Mathew Rowley mathew_rowley at
Mon Dec 15 18:36:13 EST 2008

I am having a really hard time finding any documentation about PAM
configurations.  I want to be able to authenticate an SSH login with a valid
Kerberos ticket.  What configurations do I need within the
/etc/pam.d/system-auth file to allow an authentication to succeed with a
valid ticket.  Here is what I currently have:

Valid ticket:
[root at ipa01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mrowley at IPA.COMCAST.COM

Valid starting     Expires            Service principal
12/15/08 18:11:50  12/16/08 18:11:50  krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

System-auth will use Œpam_krb5¹ as sufficient
[root at ipa01 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond
quiet use_uid
session     required
session     optional

Yet, when I attempt to log in, it still asks me for a password ­ even though
I have a valid ticket...
[root at ipa01 ~]# ssh mrowley at localhost
mrowley at localhost's password:

Any help would be appreciated.  Thanks.


More information about the Kerberos mailing list