Can't get Russ' pam_krb5 module to work with ssh on RHEL5

Russ Allbery rra at stanford.edu
Thu Mar 1 19:38:30 EST 2012


Jason Edgecombe <jason at rampaginggeek.com> writes:

> No, the local users are locked in the shadow file. The users have a "*" 
> in the password field for the /etc/shadow file. I'm using nssdb for 
> passwd and shadow file if that matters.

If you lock users in /etc/shadow, pam_unix will reject all logins via
whatever mechanism for those users.  So you either have to arrange to
bypass pam_unix entirely in PAM, or you need to not lock users and instead
just give them invalid password entries.

However, "*" isn't locking the account; "!" is locking the account.  At
least on Debian; maybe pam_unix works differently on Red Hat?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list