Using PAM with Kerberized SSH
Posted by Pepijn Oomen
This one I actually only solved today, after struggling with a Debian Woody installation and comparing this with a previously installed Sarge. On Sarge I found that enabling the libpam-krb5 module did not seem to have the desired effect, that is, retaining the ticket given when the use authorizes itself. The provided upstream README says:
session module: This is complete (both functions just return success).
So I decided not to install this module into the PAM session chain. Then I discovered that to make the ticket available on Woody, I had to use the PAM module, while on Sarge I had to refrain from using PAM for SSH completely. Retrieving the sources revealed that the newer version actually includes some code in the session part of the module. And this code does exactly what I was looking for. To set this up, do the following:
# apt-get install libpam-krb5
Change /etc/ssh/sshd_config to have:
KerberosAuthenitation yes
UsePAM yes
Now install the PAM module as follows:
/etc/pam.d/common-auth
auth sufficient pam_krb5.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-session
session optional pam_krb5.so
session required pam_unix.so
This allows you to store the password of users into Kerberos and removing those from /etc/shadow. Note that it is smart to have a maintenance account with local password storage (root?), in case you experience problems with the Kerberos server.
