Christopher D Clausen <[EMAIL PROTECTED]> writes: > Lars Schimmer <[EMAIL PROTECTED]> wrote:
>> After some time with krb5 and pam working but with no ticket forwarding >> I want to set that up. Anyone got krb5-ticket forwarding with >> automatic token generation on remote debian pc running and has tips for >> me to set this up? > https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian > And you want to install libpam-openafs-session and add it to the > appropriate PAM config files as well. The ssh-krb5 package should by > default always run through the PAM routines, even when using forwarded > credentials so that you always get tokens. Note that in etch you'll be able to just use openssh-server and openssh-client, as the main OpenSSH package has now incorporated the GSSAPI fixes. > I can post my PAM configs as well if that is desired, but I basically > copied ones I found in various mailing list archive posts, > http://mailman.mit.edu/pipermail/kerberos/2004-October/006621.html The README.Debian installed with openafs-client, at least the etch version, has the following section in it now. Note that the ignore_root option is new in the libpam-krb5 module in etch and you need the etch version of libpam-krb5 for everything to work properly with ChallengeResponseAuthentication in ssh (PasswordAuthentication is more robust). PAM Authentication Any new OpenAFS cell is strongly encouraged to use Kerberos v5 for authentication. If you want PAM to automatically obtain AFS credentials and you are using Kerberos v5, you will want to install the libpam-krb5 and libpam-openafs-session packages and then put something like the following in /etc/pam.d/common-auth: auth [success=ok default=1] pam_krb5.so ignore_root auth [default=done] pam_openafs_session.so auth required pam_unix.so nullok_secure try_first_pass and something like the following in /etc/pam.d/common-session: session optional pam_krb5.so ignore_root session optional pam_openafs_session.so session required pam_unix.so You'll probably also want the following in /etc/pam.d/common-account: account required pam_krb5.so ignore_root account required pam_unix.so There are, of course, many variations depending on what different mechanism you want to use and how you want to handle fallbacks. If you are still using Kerberos v4 and the OpenAFS kaserver (or a KDC that understands the same protocol) for authentication, you can instead use the libpam-openafs-kaserver package and a configuration like: auth sufficient pam_afs.so ignore_root auth required pam_unix.so nullok_secure try_first_pass in /etc/pam.d/common-auth and: session optional pam_afs.so session required pam_unix.so in /etc/pam.d/common-session. Use pam_afs.krb.so instead of pam_afs.so if you also want the PAM module to acquire a ticket cache for you. If using this configuration with sshd, you may need to disable privilege separation to get everything working properly. I've had mixed results with that. Obviously, converting to Kerberos v5 authentication is strongly preferred. If you are using the kaserver as your KDC, you may also want to install the openafs-kpasswd package to get the administrative utilities for managing those Kerberos accounts. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info