If I remember right when GSSAPIauthentication is used and the client has a valid Kerberos ticket pam won't be called on the server, so the pam module won't help in that case.
Markus "Booker Bense" <bbe...@slac.stanford.edu> wrote in message news:alpine.lrh.2.00.1106110716160.24...@telemark.slac.stanford.edu... > > For various reasons[1] I've found that the pam solution doesn't cover all > bases and I've resorted to putting aklog in > > /etc/ssh/sshrc > > If you have an sshrc it needs to deal with the xauth stuff as well. > > # > # Evil workaround for pam sshd stupidity. > if [ -n "$KRB5CCNAME" ] && [ -x /usr/bin/aklog ]; then > /usr/bin/aklog > fi > if read proto cookie && [ -n "$DISPLAY" ]; then > if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; > then > # X11UseLocalhost=yes > echo add unix:`echo $DISPLAY | > cut -c11-` $proto $cookie > else > # X11UseLocalhost=no > echo add $DISPLAY $proto $cookie > fi | /usr/bin/xauth -q - > fi > > - Booker C. Bense > > [1]- To be honest I've forgotten exactly what the combination was, but > there was one edge case that I just couldn't get the > pam based solution to work. The sshrc solution is also required > on OS X. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos