[OpenAFS] PAM problems.

Charles Clancy security@xauth.net
Wed, 7 May 2003 15:57:47 -0500 (CDT)


On Wed, 7 May 2003, Daniel Lundqvist wrote:

> # OpenSSH with PAM support requires similar modules.  The session one is
> # a bit strange, though...
> sshd   auth    sufficient      pam_afs.so   try_first_pass ignore_root
> sshd   auth    required        pam_unix.so  try_first_pass
> sshd    account required        pam_unix.so
> sshd    password required       pam_permit.so
> sshd   session sufficient      pam_afs.so try_first_pass
> sshd    session required        pam_permit.so

The problem is that your first module has "try_first_pass", and there's no
first pass to try.

The recommended minimal configuration is:

sshd auth     sufficient pam_afs.so  ignore_root
sshd auth     required   pam_unix.so use_first_pass
sshd account  required   pam_unix.so
sshd password required   pam_unix.so
sshd session  required   pam_unix.so
sshd session  optional   pam_afs.so

There should be a more complete recommendation in the pam_afs(5) man page.
I know it made it into the distribution, but perhaps not into the RPMs.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]