pam_krb5 (Russ' implementation) question
Russ Allbery
rra at stanford.edu
Fri Mar 7 00:27:46 EST 2008
Coy Hile <coy.hile at coyhile.com> writes:
> I'm using Russ' pam_krb5 implementation on Solaris, but I'm running into
> issues when I'm trying to make it authenticate xscreensaver sessions.
> The users authenticate correctly, but I see no new expiry times on the
> TGT and other tickets (I'd expect the re-authentication to renew
> existing creds, or if they're expired, acquire new ones.)
>
> An excerpt from my /etc/pam.conf is thus:
>
> xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
If this one succeeds, nothing else runs. I don't know what it does,
though.
> xscreensaver auth requisite pam_authtok_get.so.1
> xscreensaver auth required pam_dhkeys.so.1
> xscreensaver auth required pam_unix_cred.so.1
> xscreensaver auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug
> xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag
> xscreensaver auth optional pam_unix_auth.so.1
I think this lets someone authenticate without knowing the password at
all, since both of your authentication modules are optional.
You probably want:
xscreensaver auth sufficient pam_unix_auth.so.1
xscreensaver auth required /krb5/lib/security/pam_krb5.so use_first_pass debug
xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug nopag
Incidentally, you don't need nopag here. pam_afs_session is smart enough
to know that it's being called to refresh credentials instead of establish
new ones and won't create a new PAG.
> When I lock the screen and then authenticate, I see the following
> in syslog:
>
> Mar 6 21:04:59 ganymede xscreensaver[13110]: [ID 943423 user.error] KRB5: No
> credentials cache file found while retrieving cerdentials
That's not a pam_krb5 log message. If that's all you're seeing with the
above configuration, I don't think pam_krb5 is ever being called. It
should be logging considerably more information than that.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list