Tweak pam

Tweak pam

On a Mandrake machine i have a central system-auth (for ssh, login, telnet, rlogin, rexec, ...) that should look like this:

auth        required
auth        sufficient likeauth nullok
auth        sufficient use_first_pass
auth        required

account     required
account     required
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]
account     required

password    required retry=3 type=
password    sufficient nullok use_authtok md5 shadow
password    sufficient use_authtok
password    required

session     required
session     required
session     optional

The configuration files include this system-auth file (example: login):

auth       required
auth       required service=system-auth
auth       required
account    required service=system-auth
password   required service=system-auth
session    required service=system-auth
session    optional

Be sure that you have the /lib/security/ file, or you won't be able to log in! If you don't have it, install the pam_krb5 package. Be sure to change the "required" fields to sufficient as shown.

Another possibility to include files is used by Suse (10.0). The common settings are divided in 4 files: common-account common-auth common-password and common-session. They are included with the "include" keyword in the second column. Example again the login file:

auth     required
auth     include        common-auth
auth     required
auth     required
account  include        common-account
password include        common-password
session  include        common-session
session  required

And here are the common-files:
account required

auth    required
auth    sufficient
auth    sufficient use_first_pass

session required
session required
session optional

password required  nullok
password sufficient    nullok use_first_pass use_authtok
password sufficient     use_authtok

(todo: more explanation and check password changing)

Try again to ssh to the kerberos machine. You'll still have to type the password, but you can log in now!

Erstellt von system. Letzte Änderung: Dienstag Dezember 27, 2005 23:15:17 GMT-0000 by admin.