PAM/SSH and KerberosIV?

From: Robert Watson (rwatson@FreeBSD.org)
Date: 01/31/01

• Next message: Brian F. Feldman: "Re: PAM/SSH and KerberosIV?"
• Previous message: David La Croix: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Next in thread: Brian F. Feldman: "Re: PAM/SSH and KerberosIV?"
• Maybe reply: Brian F. Feldman: "Re: PAM/SSH and KerberosIV?"
• Maybe reply: assar@FreeBSD.org: "Re: PAM/SSH and KerberosIV?"
• Maybe reply: assar@FreeBSD.org: "Re: PAM/SSH and KerberosIV?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 30 Jan 2001 19:30:57 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
To: green@FreeBSD.org

I notice that as part of the PAM/OpenSSH support, the following lines were
added to the pam.conf on -STABLE:

  # OpenSSH with PAM support requires similar modules. The session one is
  # a bit strange, though...
  sshd auth sufficient pam_skey.so
  sshd auth required pam_unix.so try_first_pass
  sshd session required pam_permit.so

For most sets of entries, there's also a kerberos line (witness login):

  # If the user can authenticate with S/Key, that's sufficient; allow clear
  # password. Try kerberos, then try plain unix password.
  login auth sufficient pam_skey.so
  login auth requisite pam_cleartext_pass_ok.so
  #login auth sufficient pam_kerberosIV.so try_first_pass
  login auth required pam_unix.so try_first_pass

Which gets un-commented for Kerberos sites. Could you comment on whether
or not a similar looking line is required for use with KerberosIV and
OpenSSH?

Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org NAI Labs, Safeport Network Services

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Brian F. Feldman: "Re: PAM/SSH and KerberosIV?"
• Previous message: David La Croix: "Re: Bind: unapproved query (version.bind) Script kiddies?"
• Next in thread: Brian F. Feldman: "Re: PAM/SSH and KerberosIV?"
• Maybe reply: Brian F. Feldman: "Re: PAM/SSH and KerberosIV?"
• Maybe reply: assar@FreeBSD.org: "Re: PAM/SSH and KerberosIV?"
• Maybe reply: assar@FreeBSD.org: "Re: PAM/SSH and KerberosIV?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: PAM/SSH and KerberosIV? ... > I notice that as part of the PAM/OpenSSH support, ... > # OpenSSH with PAM support requires similar modules. ... Try kerberos, ... > login auth sufficient pam_skey.so ... (FreeBSD-Security) Re: PAM, SSH, and LDAP, oh my! ... login auth requisite pam_authtok_get.so.1 ... login auth sufficient pam_unix_auth.so.1 ... # Default definitions for Authentication management ... (comp.unix.solaris) PAM, SSH, and LDAP, oh my! ... login auth requisite pam_authtok_get.so.1 ... login auth sufficient pam_unix_auth.so.1 ... # Default definitions for Authentication management ... # passwd command (explicit because of a different authentication ... (comp.unix.solaris)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2001-01