[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberising login (mingetty)
>>>>> "Raul" == Raul Seemendi <raul@systrix.com> writes:
Raul> Hi. I am running debian and I would like to kerberise my
Raul> login in the linux. What procedures should I follow to do
Raul> that? I have searched the net and nothing helpful popped
Raul> out. I have the heimdal's PAM module. I know that I need to
Raul> reconfigure pam to authenticate in kerberos, but I am not
Raul> sure how to do that. Also I have no knowledge what kind of a
Raul> principals do I need to have in the kerberos server.
PAM configuration is stored in /etc/pam.d/. The files you will most
likely want to edit are login and gdm (assuming you use gdm, otherwise
replace gdm with xdm or whatever else you use).
I have in my auth section (only relevant entries shown):
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so try_first_pass
auth required pam_permit.so
auth optional pam_krb5.so try_first_pass
this means it will try authenticating against Unix. If that doesn't
work, it tries LDAP. If one of those works, it then tries to obtain a
Kerberos ticket, but this is marked as optional so it is not required.
This may not be what you want; chances are you don't use LDAP.
If I changed it to (not tested)
auth [success=1 default=ignore] pam_unix.so
auth required pam_krb5.so try_first_pass
auth required pam_permit.so
The standard /etc/shadow password checking would occur first, and if
that doesn't work it will try Kerberos.
So... really... it depends on what you want to happen. Do you want it
to try standard Unix password checking if Kerberos doesn't work, or
the other way around? If you only specify pam_krb5.so it won't check
/etc/shadow at all - but this could be a problem if the KDC ever goes
down, and you can't login (not even as root) to fix it.
PAM configuration is very flexible...
Ohhh... if you do change your PAM configuration, make sure you
properly test it. In fact I would highly recommend that you check that
you can still login again as root *before logging out* (from first
hand experience)!
I hope this helps....(?)
--
Brian May <bam@snoopy.apana.org.au>