After all that, I now have an AFS question. I'm not sure whether I should ask the question here or on the OpenAFS list, as it seems at least to me that it's a Kerberos ticket forwarding problem.
I have PAM and OpenAFS working (/etc/pam.d/common-auth excerpt):
auth [success=ok default=1] pam_krb5.so forwardable auth [default=done] pam_openafs_session.so debug
[EMAIL PROTECTED]'s password: Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686 GNU/Linux [EMAIL PROTECTED]:~$ klist Ticket cache: FILE:/tmp/krb5cc_iCScnU Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal 10/29/04 18:33:39 10/30/04 04:33:39 host/[EMAIL PROTECTED] 10/29/04 18:33:39 10/30/04 04:33:39 krbtgt/[EMAIL PROTECTED] 10/29/04 18:33:39 10/30/04 04:33:39 afs/[EMAIL PROTECTED]
[EMAIL PROTECTED]:~$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 1000) tokens for [EMAIL PROTECTED] [Expires Oct 30 04:33] --End of list--
Then, from jack (which has a kerberized ssh installation), I try to ssh into itself:
[EMAIL PROTECTED]:~$ ssh -K jack Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686 GNU/Linux
Well, check your /etc/hosts file. I believe that Debian puts the hostname on the 127.0.0.1 line. This is not good.
You want to do something like this:
[EMAIL PROTECTED]:/]% cat /etc/hosts
127.0.0.1 localhost
128.174.251.6 clortho.acm.uiuc.edu clortho
128.174.251.37 enzo.acm.uiuc.edu enzo
Or else you'll end up with Kerberos trying to get tickets for localhost and the KDC as well as the client libraries will get confused as to which machine is "localhost."
The Kerberos tickets were forwarded correctly, but the AFS ticket was not. Is this a problem with my ssh-krb5 installation, or should I be asking the OpenAFS list about this?
You probably should be asking this question on the OpenAFS list, but there are many who read both.
Looking at my /var/log/auth.log output, it looks as if the "ssh -K jack" command skips pam completely:
PAM should not be skipped, even when using credential forwarding.
Why is it that AFS tickets aren't being forwarded?
AFS tokens are NOT forwarded through SSH. Instead, you would use your forwarded Kerberos tickets to obtain AFS tokens on the remote machine. (Usually via PAM, although several sites have modified the OpenSSH code.)
You have libpam-openafs-session installed. Are you using it as a session module also?
session required pam_openafs_session.so
This could also be a problem with Kerberos tickets not being "forwardable."
Please show output from klist -f:
[EMAIL PROTECTED]:/]% klist -f Ticket cache: FILE:/tmp/krb5cc_3qzSel Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/29/04 13:35:04 10/29/04 23:35:02 krbtgt/[EMAIL PROTECTED]
Flags: FPI
10/29/04 13:35:08 10/29/04 23:35:02 afs/[EMAIL PROTECTED]
Flags: FPTThe 'F' means that the ticket is forwardable. If your tickets are not forwardable they will only be used for authentication and not actually be available in your ccache on the remote machine.
It looks like your tickets are being forwarded though, so its probably just the session PAM config for pam_openafs_session.
<<CDC
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
