Can't get Russ' pam_krb5 module to work with ssh on RHEL5

Russ Allbery rra at stanford.edu
Thu Mar 1 20:39:35 EST 2012


Jason Edgecombe <jason at rampaginggeek.com> writes:
> On 03/01/2012 07:38 PM, Russ Allbery wrote:

>> If you lock users in /etc/shadow, pam_unix will reject all logins via
>> whatever mechanism for those users.  So you either have to arrange to
>> bypass pam_unix entirely in PAM, or you need to not lock users and
>> instead just give them invalid password entries.

>> However, "*" isn't locking the account; "!" is locking the account.  At
>> least on Debian; maybe pam_unix works differently on Red Hat?

> Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM 
> logins work; only ssh is broken. I don't think that the password entries 
> is a problem.

There are two things that are obviously failing given your logs:

* pam-krb5 is not running at all during the authentication step.  This
  obviously can't be a problem with pam-krb5.  :)  Something is wrong with
  the PAM configuration.

* The account group in PAM is rejecting the login despite the fact that
  pam-krb5 is returning ignore.  I'm pretty sure that adding the missing
  ignore=ignore directive will fix this.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list