Debugging Suse krb pam for ssh session?
ольга крыжановская
olga.kryzhanovska at gmail.com
Wed Mar 12 07:45:20 EDT 2014
pam config of the client is this:
###################################################
(for i in /etc/pam.d/* ; do printf "\n>>>> %s\n" "$i" ; cat "$i" ; done)
>>>> /etc/pam.d/atd
#
# The PAM configuration file for the at daemon
#
#
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/chage
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/chfn
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/chpasswd
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/chsh
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/common-account
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account requisite pam_unix.so try_first_pass
account required pam_krb5.so use_first_pass ignore_unknown_principals
>>>> /etc/pam.d/common-account.pam-config-backup
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account required pam_unix.so try_first_pass
>>>> /etc/pam.d/common-account-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account requisite pam_unix.so try_first_pass
account required pam_krb5.so use_first_pass ignore_unknown_principals
>>>> /etc/pam.d/common-auth
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
>>>> /etc/pam.d/common-auth.pam-config-backup
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth required pam_unix.so try_first_pass
>>>> /etc/pam.d/common-auth-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
>>>> /etc/pam.d/common-password
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password requisite pam_cracklib.so
password optional pam_gnome_keyring.so use_authtok
password [default=ignore success=1] pam_succeed_if.so
uid > 999 quiet
password sufficient pam_unix.so use_authtok nullok
shadow try_first_pass
password sufficient pam_krb5.so
password required pam_deny.so
>>>> /etc/pam.d/common-password.pam-config-backup
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
password requisite pam_cracklib.so
password required pam_unix.so use_authtok nullok try_first_pas
>>>> /etc/pam.d/common-password-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password requisite pam_cracklib.so
password optional pam_gnome_keyring.so use_authtok
password [default=ignore success=1] pam_succeed_if.so
uid > 999 quiet
password sufficient pam_unix.so use_authtok nullok
shadow try_first_pass
password sufficient pam_krb5.so
password required pam_deny.so
>>>> /etc/pam.d/common-session
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_krb5.so
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_gnome_keyring.so auto_start
only_if=gdm,gdm-password,lxdm,lightdm
session optional pam_env.so
>>>> /etc/pam.d/common-session.pam-config-backup
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so
>>>> /etc/pam.d/common-session-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_krb5.so
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_gnome_keyring.so auto_start
only_if=gdm,gdm-password,lxdm,lightdm
session optional pam_env.so
>>>> /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
auth sufficient pam_rootok.so
account sufficient pam_listfile.so item=user sense=allow
file=/etc/cron.allow onerr=succeed quiet
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
>>>> /etc/pam.d/cups
auth include common-auth
account include common-account
>>>> /etc/pam.d/groupadd
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/groupdel
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/groupmod
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/init
#%PAM-1.0
#
# The PAM configuration file for /sbin/init
# Used for updating the lastlog logging file
#
auth sufficient pam_rootok.so
account include common-account
session requisite pam_lastlog.so silent
>>>> /etc/pam.d/login
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
#session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard
>>>> /etc/pam.d/newusers
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/other
#%PAM-1.0
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
>>>> /etc/pam.d/passwd
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/polkit-1
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/ppp
#%PAM-1.0
auth required pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/remote
#%PAM-1.0
# This file is used by /bin/login in case of remote logins (means where
# the -h option is used
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard
>>>> /etc/pam.d/samba
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/smtp
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/sshd
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
>>>> /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
>>>> /etc/pam.d/sudo
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
# session optional pam_xauth.so
>>>> /etc/pam.d/su-l
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
>>>> /etc/pam.d/useradd
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/userdel
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/usermod
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/vlock
auth include common-auth
account include common-account
session include common-session
password include common-password
>>>> /etc/pam.d/vmtoolsd
#%PAM-1.0
auth sufficient pam_unix2.so nullok
auth sufficient pam_unix.so shadow nullok
auth required pam_unix_auth.so shadow nullok
account sufficient pam_unix2.so
account sufficient pam_unix.so
account required pam_unix_acct.so
>>>> /etc/pam.d/xdm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
>>>> /etc/pam.d/xdm-np
#%PAM-1.0
auth required pam_permit.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
###################################################
pam config on the server is this:
###################################################
(for i in /etc/pam.d/* ; do printf "\n>>>> %s\n" "$i" ; cat "$i" ; done)
>>>> /etc/pam.d/atd
#
# The PAM configuration file for the at daemon
#
#
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/chage
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/chfn
#%PAM-1.0
# For chfn command
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/chsh
#%PAM-1.0
# For chsh command
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/common-account
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account requisite pam_unix2.so
account required pam_krb5.so use_first_pass ignore_unknown_principals
>>>> /etc/pam.d/common-account.pam-config-backup
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account required pam_unix2.so
>>>> /etc/pam.d/common-account-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account requisite pam_unix2.so
account required pam_krb5.so use_first_pass ignore_unknown_principals
>>>> /etc/pam.d/common-auth
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix2.so
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
>>>> /etc/pam.d/common-auth.pam-config-backup
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth required pam_unix2.so
>>>> /etc/pam.d/common-auth-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix2.so
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
>>>> /etc/pam.d/common-password
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password requisite pam_pwcheck.so nullok cracklib
password optional pam_gnome_keyring.so use_authtok
password [default=ignore success=1] pam_succeed_if.so
uid > 999 quiet
password sufficient pam_unix2.so use_authtok nullok
password sufficient pam_krb5.so
password required pam_deny.so
>>>> /etc/pam.d/common-password.pam-config-backup
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix2 in combination
# with pam_pwcheck.
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# To enable Blowfish or MD5 passwords, you should edit
# /etc/default/passwd.
#
# Alternate strength checking for passwords should be configured
# in /etc/security/pam_pwcheck.conf.
#
# pam_make can be used to rebuild NIS maps after password change.
#
password required pam_pwcheck.so nullok cracklib
password required pam_unix2.so nullok use_authtok
#password required pam_make.so /var/yp
>>>> /etc/pam.d/common-password-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password requisite pam_pwcheck.so nullok cracklib
password optional pam_gnome_keyring.so use_authtok
password [default=ignore success=1] pam_succeed_if.so
uid > 999 quiet
password sufficient pam_unix2.so use_authtok nullok
password sufficient pam_krb5.so
password required pam_deny.so
>>>> /etc/pam.d/common-session
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required pam_limits.so
session required pam_unix2.so
session optional pam_apparmor.so
session optional pam_krb5.so
session optional pam_umask.so
session optional pam_gnome_keyring.so auto_start only_if=gdm,lxdm
>>>> /etc/pam.d/common-session.pam-config-backup
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix2.
#
session required pam_limits.so
session required pam_unix2.so
session optional pam_umask.so
>>>> /etc/pam.d/common-session-pc
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required pam_limits.so
session required pam_unix2.so
session optional pam_apparmor.so
session optional pam_krb5.so
session optional pam_umask.so
session optional pam_gnome_keyring.so auto_start only_if=gdm,lxdm
>>>> /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
>>>> /etc/pam.d/cups
auth include common-auth
account include common-account
>>>> /etc/pam.d/init
#%PAM-1.0
#
# The PAM configuration file for /sbin/init
# Used for updating the lastlog logging file
#
auth sufficient pam_rootok.so
account include common-account
session requisite pam_lastlog.so silent
>>>> /etc/pam.d/login
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
session optional pam_ck_connector.so
>>>> /etc/pam.d/login.old
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
session optional pam_ck_connector.so
>>>> /etc/pam.d/other
#%PAM-1.0
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
>>>> /etc/pam.d/passwd
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/polkit
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/polkit-1
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/ppp
#%PAM-1.0
auth required pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/remote
#%PAM-1.0
# This file is used by /bin/login in case of remote logins (means where
# the -h option is used
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
>>>> /etc/pam.d/samba
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/shadow
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
#password required pam_make.so /var/yp
password required pam_permit.so
session required pam_deny.so
>>>> /etc/pam.d/smtp
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/sshd
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
>>>> /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
>>>> /etc/pam.d/sudo
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
# session optional pam_xauth.so
>>>> /etc/pam.d/su-l
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
>>>> /etc/pam.d/useradd
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
>>>> /etc/pam.d/vmware-authd
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
>>>> /etc/pam.d/vsftpd
#%PAM-1.0
# Uncomment this to achieve what used to be ftpd -A.
# auth required pam_listfile.so item=user sense=allow
file=/etc/ftpchroot onerr=fail
auth required pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
# Uncomment the following line for anonymous ftp.
#auth sufficient pam_ftp.so
auth required pam_shells.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
>>>> /etc/pam.d/xdm
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
>>>> /etc/pam.d/xdm-np
#%PAM-1.0
auth required pam_permit.so
account include common-account
password include common-password
session include common-session
###################################################
Does that help?
Olga
On Wed, Mar 12, 2014 at 9:31 AM, Robert Wehn
<robert.wehn at rz.uni-augsburg.de> wrote:
> Am 12.03.2014 02:30, schrieb ольга крыжановская:
>> Does anyone know how I can debug kerberos pam on Linux? We have a new
>> krb5 server running on stock Suse 11.3 on which a user test001 is
>> configured. Logging in into that local account works on the server and
>> gives automagic a krb5 ticket.
> I'm not sure how pam is configured in Suse Linux.
> In Debian/Ubuntu i would look into
> /etc/pam.d/auth-common (or the other auth modules there)
> to see which modules are used and "requisite" "sufficient" "optional" ...
> Maybe its all in one file like /etc/pam.conf in Suse ...
>
> "man pam.conf" for the details.
>
> What do you plan to do:
> - Lock in with a local account and get a kerberos ticket in addition
> (for the local user)
> - have a password only in kerberos *or* locally on the machine
>> However, on the client machine, which runs Suse 12.3, which uses the
>> server as kdc, I do not get a krb5 ticket automagically if I ssh into
>> it, while a later kinit gives me the desired ticket.
> please provide the pam config files of server and client.
>
> Robert.
>
> --
>
> Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
> Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
> 86135 Augsburg .................................. Fax. (0821) 598-2028
>
--
, _ _ ,
{ \/`o;====- Olga Kryzhanovska -====;o`\/ }
.----'-/`-/ olga.kryzhanovska at gmail.com \-`\-'----.
`'-..-| / http://twitter.com/fleyta \ |-..-'`
/\/\ Solaris/BSD//C/C++ programmer /\/\
`--` `--`
More information about the Kerberos
mailing list