Tweak pam

Tweak pam

On a Mandrake machine i have a central system-auth (for ssh, login, telnet, rlogin, rexec, ...) that should look like this:

auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_access.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_krb5.so
account     required      pam_access.so

password    required      pam_cracklib.so retry=3 type=
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5.so

The configuration files include this system-auth file (example: login):

auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

Be sure that you have the /lib/security/pam_krb5.so file, or you won't be able to log in! If you don't have it, install the pam_krb5 package. Be sure to change the "required" fields to sufficient as shown.

Another possibility to include files is used by Suse (10.0). The common settings are divided in 4 files: common-account common-auth common-password and common-session. They are included with the "include" keyword in the second column. Example again the login file:

auth     required       pam_securetty.so
auth     include        common-auth
auth     required       pam_nologin.so
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  include        common-session
session  required       pam_resmgr.so

And here are the common-files:
account required        pam_unix2.so

auth    required        pam_env.so
auth    sufficient      pam_unix2.so
auth    sufficient      pam_krb5.so use_first_pass

session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_krb5.so

password required       pam_pwcheck.so  nullok
password sufficient     pam_unix2.so    nullok use_first_pass use_authtok
password sufficient     pam_krb5.so     use_authtok

(todo: more explanation and check password changing)

Try again to ssh to the kerberos machine. You'll still have to type the password, but you can log in now!

Created by system. Last Modification: Tuesday 27 of December, 2005 23:15:17 GMT-0000 by admin.

Flattr me!