Can't get Russ' pam_krb5 module to work with ssh on RHEL5
Russ Allbery
rra at stanford.edu
Thu Mar 1 20:39:35 EST 2012
Jason Edgecombe <jason at rampaginggeek.com> writes:
> On 03/01/2012 07:38 PM, Russ Allbery wrote:
>> If you lock users in /etc/shadow, pam_unix will reject all logins via
>> whatever mechanism for those users. So you either have to arrange to
>> bypass pam_unix entirely in PAM, or you need to not lock users and
>> instead just give them invalid password entries.
>> However, "*" isn't locking the account; "!" is locking the account. At
>> least on Debian; maybe pam_unix works differently on Red Hat?
> Well, pam_unix worked fine with RedHat's pam_krb5. Console and GDM
> logins work; only ssh is broken. I don't think that the password entries
> is a problem.
There are two things that are obviously failing given your logs:
* pam-krb5 is not running at all during the authentication step. This
obviously can't be a problem with pam-krb5. :) Something is wrong with
the PAM configuration.
* The account group in PAM is rejecting the login despite the fact that
pam-krb5 is returning ignore. I'm pretty sure that adding the missing
ignore=ignore directive will fix this.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list