[CentOS] Re: nis and new users

Ross S. W. Walker rwalker at medallion.com
Tue Apr 15 18:09:00 UTC 2008 

Scott Silva wrote:
> 
> on 4-15-2008 10:17 AM Jason Pyeron spake the following:
> > 
> >Ross S. W. Walker wrote:
> >>
> >> Well what you have will only cover console logins via the login
> >> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> >>
> >> Try this:
> >>
> >> /etc/pam.d/system-auth
> >> #%PAM-1.0
> >> # This file is auto-generated.
> >> # User changes will be destroyed the next time authconfig is run.
> >> auth        required      pam_env.so
> >> auth        optional      pam_group.so
> >> auth        sufficient    pam_unix.so nullok try_first_pass
> >> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> >> auth        sufficient    pam_krb5.so use_first_pass
> >> auth        required      pam_deny.so
> >>
> >> account     required      pam_unix.so broken_shadow
> >> account     sufficient    pam_localuser.so
> >> account     sufficient    pam_succeed_if.so uid < 500 quiet
> >> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> >> account     required      pam_permit.so
> >>
> >> password    requisite     pam_cracklib.so try_first_pass retry=3
> >> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
> >> password    sufficient    pam_krb5.so use_authtok
> >> password    required      pam_deny.so
> >>
> >> session     optional      pam_keyinit.so revoke
> >> session     required      pam_mkhomedir.so skel=/etc/skel umask=0077
> >> silent
> >> session     required      pam_limits.so
> >> session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> >> session     required      pam_unix.so
> >> session     optional      pam_krb5.so
> >>
> > 
> > Hmm, it worked for su -l but not ssh logins ....
> > 
> > 
> > Making progress.
>
> Do you have ssh set to use pam?
> 

Excellent point.

Do you have it set in /etc/ssh/sshd_config, like such:

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the CentOS mailing list