[OpenAFS] PAM problems.
Charles Clancy
security@xauth.net
Wed, 7 May 2003 15:57:47 -0500 (CDT)
On Wed, 7 May 2003, Daniel Lundqvist wrote:
> # OpenSSH with PAM support requires similar modules. The session one is
> # a bit strange, though...
> sshd auth sufficient pam_afs.so try_first_pass ignore_root
> sshd auth required pam_unix.so try_first_pass
> sshd account required pam_unix.so
> sshd password required pam_permit.so
> sshd session sufficient pam_afs.so try_first_pass
> sshd session required pam_permit.so
The problem is that your first module has "try_first_pass", and there's no
first pass to try.
The recommended minimal configuration is:
sshd auth sufficient pam_afs.so ignore_root
sshd auth required pam_unix.so use_first_pass
sshd account required pam_unix.so
sshd password required pam_unix.so
sshd session required pam_unix.so
sshd session optional pam_afs.so
There should be a more complete recommendation in the pam_afs(5) man page.
I know it made it into the distribution, but perhaps not into the RPMs.
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]