PAM not required for ticket retention
Posted by Pepijn Oomen
After yet another day of changing sshd_config, pam configuration and an infinite amount of restarts of the SSH daemon, I found a more elegant way of actually getting a SSH enabled host to work as a basecamp for users that are not able to generate proper Kerberos tickets on their local workstation (that is, Windows 2000 users not connected to an AD domain).
It turns out that (at least on Sarge) libpam-krb5 is not required after all. The following changes in the configuration of the SSH daemon will actually have the desired effect:
KerberosAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
The libpam-krb5 module is useful for things like sudo, but then the preferred way to achieve this is by using the following:
/etc/pam.d/sudo
auth sufficient pam_krb5.so
@include common-auth
@include common-account
/etc/pam.d/common-auth
auth required pam_unix.so nullok_secure try_first_pass
