1

I assume there is an easy solution to this, but I prefer to ask before mucking up our intranet server. During a support session, my co-worker and I realized we could login in with our Kerberos credentials over SSH, but not the console (in this case the VI Client for ESXi, but it does not really matter). So, do I just modify the login PAM config?

Current state:

# PAM configuration for the "sshd" service
#

# auth
#auth           sufficient      pam_opie.so             no_warn no_fake_prompts
#auth           requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      pam_krb5.so             try_first_pass
auth            required        pam_unix.so             try_first_pass

# account
#account        required        pam_nologin.so
#account        required        pam_login_access.so
account         sufficient      pam_krb5.so             try_first_pass
account         required        pam_unix.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
#password       required        pam_unix.so             no_warn try_first_pass
password        required        pam_permit.so

# session
#session        optional        pam_ssh.so
#session        required        pam_permit.so
session         required        pam_permit.so           

#
#
# PAM configuration for the "login" service
#

# auth
auth            sufficient      pam_self.so             no_warn
auth            include         system

# account
account         requisite       pam_securetty.so
account         required        pam_nologin.so
account         include         system

# session
session         include         system

# password
password        include         system

Any hints or tips welcome.

songei2f
  • 1,924
  • 1
  • 20
  • 30

1 Answers1

0

Your instinct is correct - the solution is "Make your login service's PAM configuration look like your SSH service's PAM configuration"

Not exactly alike, mind you -- make sure you can still get in with non-kerberos logins as root, for example, in case you need to jump on the console in an emergency. PAM is great for that kind of fallback configuration.

For more details/help see the man pages for the PAM modules in question, and man pam.conf for details on the PAM configuration file format.

voretaq7
  • 79,345
  • 17
  • 128
  • 213