I assume there is an easy solution to this, but I prefer to ask before mucking up our intranet server. During a support session, my co-worker and I realized we could login in with our Kerberos credentials over SSH, but not the console (in this case the VI Client for ESXi, but it does not really matter). So, do I just modify the login PAM config?
Current state:
# PAM configuration for the "sshd" service
#
# auth
#auth sufficient pam_opie.so no_warn no_fake_prompts
#auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient pam_krb5.so try_first_pass
auth required pam_unix.so try_first_pass
# account
#account required pam_nologin.so
#account required pam_login_access.so
account sufficient pam_krb5.so try_first_pass
account required pam_unix.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
#password required pam_unix.so no_warn try_first_pass
password required pam_permit.so
# session
#session optional pam_ssh.so
#session required pam_permit.so
session required pam_permit.so
#
#
# PAM configuration for the "login" service
#
# auth
auth sufficient pam_self.so no_warn
auth include system
# account
account requisite pam_securetty.so
account required pam_nologin.so
account include system
# session
session include system
# password
password include system
Any hints or tips welcome.
Your instinct is correct - the solution is "Make your
loginservice's PAM configuration look like yourSSHservice's PAM configuration"Not exactly alike, mind you -- make sure you can still get in with non-kerberos logins as root, for example, in case you need to jump on the console in an emergency. PAM is great for that kind of fallback configuration.
For more details/help see the man pages for the PAM modules in question, and
man pam.conffor details on the PAM configuration file format.