On Thu, Feb 13, 2003 at 09:54:33PM -0800, La Temperanza wrote:
> Thanks, your PDF helped me get k5su up and running. Now can you help me switch
> my console login service to Kerberos? :) I don't quite get the man pages for PAM
> and am worried about locking myself out of my system if I do something wrong.
Step number 1: log in a different virtual console and leave it logged
in. This console is known as "insurance" ;-)
It's really not that hard with a fairly recent FreeBSD ... there should
be a pam_krb5 already in there (but commented out).
pam.conf is broken into sections, corresponding to the different
services that might require authentication. The first "block" in the
pam.conf is for the console login service. Try uncommenting the pam_krb5
line and logging in on a third virtual service.
I'm not actually using pam for services other than console login - while
pam is great for centralizing authentication, it doesn't magically add
encryption of the data stream to the various service daemons (the MIT
kerberoos -x switch for most app's). You'll needs service daemons that
specifically support that.
Hmmm. Now that I think about it, with Heimdal in the base install, the
normal daemons /might/ actually do that. It doesn't apply to me as I'm
use MIT krb5, but it'd be worth investigating if you're using the
heimdal in the base install.
- Tillman
--
Simplicity is the most difficult thing to secure in this world; it is the last
limit of experience and the last effort of genius.
George Sand
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
