SSH, Kerberos, AD: how / where to config /etc/pam.d/password-auth?

Question

I have a CentOS 6 machine here and want to give SSH access for users from another forest, which is trusted. I got a temporary workaround, which is:

1) change content in /etc/pam.d/vncserver to

auth include password-auth

2) add these two lines /etc/pam.d/password-auth

auth        sufficient    pam_krb5.so use_first_pass realm=NEW.DOMAIN.NET
password    sufficient    pam_krb5.so use_authtok realm=NEW.DOMAIN.NET

so it looks that way:

%PAM-1.0
This file is auto-generated.
User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_krb5.so use_first_pass realm=NEW.DOMAIN.NET
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_krb5.so use_authtok realm=NEW.DOMAIN.NET
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

3) add new domain name to /etc/krb5.conf

4) restart SSH daemon

--> Works fine, but after each system-config-authentication (authconfig -update_all) the changes from 2) are overwritten (undone) and the SSH-connection is refused then.

My question is where to add the additional new domain to keep it working permanently. A simple substitution won't work, as the old domain / forest is still in use too.

Just adding the new domain just to /etc/krb5.so won't do the trick, as then it only checks the default domain, which is not "NEW.DOMAIN.NET". Any idea is welcome...

Regards, Thomas

score 1 · Answer 1 · answered Dec 23 '15 at 09:34

1

You can use FreeIPAs AD synchronization feature for this. It is not really the same but does the same job and is way easier to manage and control.

answered Dec 23 '15 at 09:34

Florin Asăvoaie

6,932
22
35

SSH, Kerberos, AD: how / where to config /etc/pam.d/password-auth?

1 Answers1