Tweak pam


On a Mandrake machine i have a central system-auth (for ssh, login, telnet, rlogin, rexec, ...) that should look like this:

auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_access.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_krb5.so
account     required      pam_access.so

password    required      pam_cracklib.so retry=3 type=
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5.so


The configuration files include this system-auth file (example: login):

auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so


Be sure that you have the /lib/security/pam_krb5.so file, or you won't be able to log in! If you don't have it, install the pam_krb5 package. Be sure to change the "required" fields to sufficient as shown.

Another possibility to include files is used by Suse (10.0). The common settings are divided in 4 files: common-account common-auth common-password and common-session. They are included with the "include" keyword in the second column. Example again the login file:

auth     required       pam_securetty.so
auth     include        common-auth
auth     required       pam_nologin.so
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  include        common-session
session  required       pam_resmgr.so


And here are the common-files:
common-account:
account required        pam_unix2.so


common-auth:
auth    required        pam_env.so
auth    sufficient      pam_unix2.so
auth    sufficient      pam_krb5.so use_first_pass


common-session:
session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_krb5.so


common-password:
password required       pam_pwcheck.so  nullok
password sufficient     pam_unix2.so    nullok use_first_pass use_authtok
password sufficient     pam_krb5.so     use_authtok


(todo: more explanation and check password changing)

Try again to ssh to the kerberos machine. You'll still have to type the password, but you can log in now!