4.0 + PAM + Krb5 + AFS = Working

From: Derek Harkness (dharknes_at_umd.umich.edu)
Date: 03/14/05

  • Next message: Darren Tucker: "Re: 4.0 + PAM + Krb5 + AFS = Working"
    To: secureshell@securityfocus.com
    Date: Mon, 14 Mar 2005 07:19:44 -0500

    I upgraded a test workstation to 4.0, I compiled two versions one with
    kerberos+afs support and another with just PAM. The goal is to be able
    to login using kerberos and get an afs token.

    So here's what I've got, if I use the kerberos+afs version I can't
    login at all. I don't have a keytab for this workstation which is the
    error message I'm getting so I'm assuming that this will work once I
    get one from my krb admin.

    The bigger problem is the PAM integration. When I login using just PAM
    I am able to get logged in but neither my kerberos tickets or my afs
    tokens are set. Just wondering if anyone has a suggestion on getting
    this working. Since I have far to many server with ssh to request
    keytabs for all of them.

    I'm running on a Debian stable (Woody), using the packaged pam-krb5 and
    pam-openafs-session modules.


    "This world is a comedy to those who think and a tragedy to those who


  • Next message: Darren Tucker: "Re: 4.0 + PAM + Krb5 + AFS = Working"

    Relevant Pages

    • Re: SSHD (openssh) responds too quickly for bad password.
      ... >> As far as I know, PAM is also used when you login with telnet. ... in this case PAM. ... Swatch isn't the only log monitoring tool out there. ...
    • SUMMARY: Single User Mode login to SunfireV120 with Solaris 8 fails
      ... My problem boiled down to multiuser login working fine yet in single user ... Feb 9 10:01:31 PAM: pam_set_item ... (or give root password for system maintenance): ...
    • Reg. PAM
      ... I have installed libpam-cracklib. ... Does our new versions support PAM for packages. ... that grant access to the machine, like login and ssh. ... @include common-auth ...
    • Re: Samba passwords
      ... > found it hard to understand and the pam man page even worse. ... It is possible to use pam_smbpass to have login, sshd, etc. authenticate ... against the SMB password database instead of /etc/passwd. ... I think you'll still need UNIX accounts to ...
    • Re: passwords not recognized when suing from a terminal
      ... the passwords are no longer accepted. ... I can still login OK from the initial login ... You may also want to turn on some 'debug' option flag in the pam modules. ... # Uncomment the following line to implicitly trust users in the "wheel" group. ...