Russ, I have your pam_krb5 module working with RHEL5 but I am having issues on RHEL4. When I replace the RHEL pam_krb5 with the eyrie module I can't log in. It looks like the pam_krb5 is indeed aurthenticating me though as seen below, well it says authenticated as the krb user. I am using the newest module or 4.3. Looks like pam_krb5 is authenticating but pam_unix is choking even though pam_krb5 is sufficient. As I said if I use the RHEL module it works but I need the extra functionality of your module. Will an older version of your module work possibly?
I am thinking the "sshd: PAM pam_parse: expecting return value; [...suficient]" may be the issue as seen below. Thanks TC ##Secure log## sshd[28791]: pam_krb5(sshd): pam_sm_authenticate: entry (0x1) sshd[28791]: pam_krb5(sshd): user joe_johnson authenticated as joe_john...@example.com sshd[28791]: pam_krb5(sshd): pam_sm_authenticate: exit (success) sshd[28791]: Failed password for joe_johnson from ::ffff:127.0.0.1 port 34431 ssh2 sshd[28792]: Connection closed by ::ffff:127.0.0.1 ##Messages Log## sshd: PAM pam_parse: expecting return value; [...suficient] sshd(pam_unix)[28825]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel4test user=joe_johnson On Thu, Jul 15, 2010 at 2:54 PM, Russ Allbery <r...@stanford.edu> wrote: > Techie <techcha...@gmail.com> writes: > >>> I don't know of any reason why it shouldn't work with sudo, but I don't >>> personally use sudo and don't have any simple way to test. I'd need to >>> see the debug log output to understand exactly what it's doing. > >> You are right Russ, It was my mistake. >> You don't use sudo! What do you use? > > ksu, or probably more accurately, we use Puppet to do all of the regular > configuration management and to ensure services are running, so the small > handful of times when we need root access to debug something, we just ksu > or log in as root. Good to know, I looked at ksu, it has got me interested. > > We do use sudo a few places to grant normal users access to do things like > run specific init scripts, but we always use NOPASSWD for those cases. > > -- > Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos