On Thu, Oct 09, 2008 at 08:48:59PM +0200, Gunnarsson, Gunnar wrote: > It works with sshd-kbdint but what password does sshd-password provide ?
Not sure so I've cc'ed the ssh peeps. > The Kerberos documentation on the Sun web is pretty good although some more > details are needed e.g. for the migration part. Okay, I'll open a RFE (request for enhancement) on the krb docs. > Thanks Gunnar Gunnarsson > > -----Ursprungligt meddelande----- > Fr?n: Will Fiveash [mailto:William.Fiveash at Sun.COM] > Skickat: den 9 oktober 2008 19:55 > Till: Douglas E. Engert > Kopia: Gunnarsson, Gunnar; kerberos-discuss at opensolaris.org > ?mne: Re: [kerberos-discuss] How to Configure Automatic Migration ofUsers in > a Kerberos Realm > > On Thu, Oct 09, 2008 at 11:37:04AM -0500, Douglas E. Engert wrote: > > > > > > Gunnar Gunnarsson wrote: > > > How can I migrate users logging in through ssh using pam_krb5_migrate > > > module ? > > > I running Solaris 10 - ssh --V > > > Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f > > > > Look at man sshd. Depending on what authentication methed is being > > used, it will call pam with different pam service names. > > ____________________________________________________________ > > | SSHv2 Userauth | PAM Service Name | > > |_____________________________|_____________________________| > > | none | sshd-none | > > |_____________________________|_____________________________| > > | password | sshd-password | > > |_____________________________|_____________________________| > > | keyboard-interactive | sshd-kbdint | > > |_____________________________|_____________________________| > > | pubkey | sshd-pubkey | > > |_____________________________|_____________________________| > > | hostbased | sshd-hostbased | > > |_____________________________|_____________________________| > > | gssapi-with-mic | sshd-gssapi | > > |_____________________________|_____________________________| > > | gssapi-keyex | sshd-gssapi | > > |_____________________________|_____________________________| > > > > So you should be able to call pam_krb5 from sshd-password and > > sshd-kdbint > > Right. One thing to remember is that pam_krb5_migrate is going to need the > user's password in order to create the krb5 principal. In order to get that > password ssh needs to use an auth method that provides that password to the > PAM auth stack. In man sshd there is this: > > Specifically, sshd calls pam_authenticate() for the "none," > "password" and "keyboard-interactive" SSHv2 userauth types, > as well as for for the null and password authentication > methods for SSHv1. Other SSHv2 authentication methods do > not call pam_authenticate(). pam_acct_mgmt() is called for > each authentication method that succeeds. > > In man pam_krb5_migrate it states that it is a PAM auth module. This is > distinct from an account mgt module. So taking all this into account > (heh) this means that when using ssh one must use a ssh auth method that uses > the PAM auth stack (calls pam_authenticate()) in order for the > pam_krb5_migrate PAM module to be used as desired. > > Note, Sun is aware that pam.conf config is confusing and people are working > on this issue. > -- > Will Fiveash > Sun Microsystems Inc. > http://opensolaris.org/os/project/kerberos/ -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/
