Re: PAM/SSH and KerberosIV?

From: Brian F. Feldman (green@FreeBSD.org)
Date: 01/31/01


To: Robert Watson <rwatson@FreeBSD.org>
From: "Brian F. Feldman" <green@FreeBSD.org>
Date: Tue, 30 Jan 2001 19:49:01 -0500

Robert Watson <rwatson@FreeBSD.org> wrote:
>
> I notice that as part of the PAM/OpenSSH support, the following lines were
> added to the pam.conf on -STABLE:
>
> # OpenSSH with PAM support requires similar modules. The session one is
> # a bit strange, though...
> sshd auth sufficient pam_skey.so
> sshd auth required pam_unix.so try_first_pass
> sshd session required pam_permit.so
>
> For most sets of entries, there's also a kerberos line (witness login):
>
> # If the user can authenticate with S/Key, that's sufficient; allow clear
> # password. Try kerberos, then try plain unix password.
> login auth sufficient pam_skey.so
> login auth requisite pam_cleartext_pass_ok.so
> #login auth sufficient pam_kerberosIV.so try_first_pass
> login auth required pam_unix.so try_first_pass
>
> Which gets un-commented for Kerberos sites. Could you comment on whether
> or not a similar looking line is required for use with KerberosIV and
> OpenSSH?

I don't know. I do not have the capacity to test Kerberos without going
through the trouble of setting it up for only myself only on my own
computer, which would be an exercise in utterly profound useless effort.
So, anyone who does it, let me know if it works for you and how.

BTW, you ever test the make-ssh-use-/dev/tty-to-ask-for-OTP patch?

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • PAM/SSH and KerberosIV?
    ... I notice that as part of the PAM/OpenSSH support, ... Try kerberos, ... login auth sufficient pam_skey.so ... login auth requisite pam_cleartext_pass_ok.so ...
    (FreeBSD-Security)
  • Re: Cannot su to root from logged in user
    ... # rhosts authentication should not be used ... # Kerberos TGT Passing only works with the AFS kaserver ... > OpenSSH obeys more of the AIX security restrictions than it did ... > Did you compile openssh yourself or use a pre-built package? ...
    (comp.security.ssh)
  • Keberos GSS authentication not working
    ... I'm attempting to authenticate an ssh client running on Mac OS X 10.3 (using the default built in OpenSsh client) to a Solaris OpenSsh server using GSS Kerberos V support. ...
    (SSH)
  • Kerberos 5 authentication without password?
    ... Is it possible to configure OpenSSH to allow a user ... the presence of a valid Kerberos 5 TGT incoming. ... and client host to itself. ... GSSAPIAuthentication yes ...
    (SSH)
  • Re: Kerberos And Openssh 3.8p1 single sign-on
    ... >successfully compile openssh-3.8.1p1 and build it against kerberos libraries. ... >single sign-on on the server without any problems. ... >openssh implementation authorizing through kerberos. ... Good judgement comes with experience. ...
    (comp.security.ssh)