pam_krb5 (Russ' implementation) question

Russ Allbery rra at stanford.edu
Fri Mar 7 00:27:46 EST 2008 

Coy Hile <coy.hile at coyhile.com> writes:

> I'm using Russ' pam_krb5 implementation on Solaris, but I'm running into
> issues when I'm trying to make it authenticate xscreensaver sessions.
> The users authenticate correctly, but I see no new expiry times on the
> TGT and other tickets (I'd expect the re-authentication to renew
> existing creds, or if they're expired, acquire new ones.)
>
> An excerpt from my /etc/pam.conf is thus:
>
> xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay

If this one succeeds, nothing else runs.  I don't know what it does,
though.

> xscreensaver auth requisite pam_authtok_get.so.1
> xscreensaver auth required pam_dhkeys.so.1
> xscreensaver auth required pam_unix_cred.so.1
> xscreensaver auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug
> xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag
> xscreensaver auth optional pam_unix_auth.so.1

I think this lets someone authenticate without knowing the password at
all, since both of your authentication modules are optional.

You probably want:

xscreensaver auth sufficient pam_unix_auth.so.1
xscreensaver auth required /krb5/lib/security/pam_krb5.so use_first_pass debug
xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag

Incidentally, you don't need nopag here.  pam_afs_session is smart enough
to know that it's being called to refresh credentials instead of establish
new ones and won't create a new PAG.

> When  I lock the screen and then authenticate, I see the following
> in syslog:
>
> Mar  6 21:04:59 ganymede xscreensaver[13110]: [ID 943423 user.error] KRB5: No 
> credentials cache file found while retrieving cerdentials

That's not a pam_krb5 log message.  If that's all you're seeing with the
above configuration, I don't think pam_krb5 is ever being called.  It
should be logging considerably more information than that.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list