Hi all. I have a question about pam-afs-session, although my problem may actually be more related to Openssh and Kerberos.
I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it seems to work fine, provided I use pam to do the authentication rather than openssh. This means typing my password even though I've already got a ticket on my workstation. However, I would ideally like to let openssh do the authentication (ie. set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config). The client can forward Kerberos credentials and (hopefully) pam-afs-session can turn that into a token. Is such a setup possible? In trying to set this up, I've used these settings in sshd_config: ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication yes UsePAM yes .. and /etc/pam.d/system-auth looks like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth [success=ok default=1] /lib/security/$ISA/pam_krb5.so auth [default=done] /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog debug auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_krb5.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so session required /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog debug When I login to the machine with this configuration, I get my Kerberos ticket propagated ok, but no token, and some messages in syslog: $ klist Ticket cache: FILE:/tmp/krb5cc_10846_QyS612 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 09/03/07 17:28:42 09/03/07 19:37:42 krbtgt/[EMAIL PROTECTED] renew until 09/03/07 09:38:26 Kerberos 4 ticket cache: /tmp/tkt10846 klist: You have no tickets cached $ tokens Tokens held by the Cache Manager: --End of list-- Sep 3 17:28:42 crashburn sshd(pam_unix)[612]: session opened for user rns by (uid=0) Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: configured realm 'UNIMELB.EDU.AU' Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flags: forwardable Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: no ignore_afs Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: user_check Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: no krb4_convert Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: warn Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: ticket lifetime: 36000 Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: renewable lifetime: 36000 Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: banner: Kerberos 5 Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: ccache dir: /tmp Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: keytab: /etc/krb5.keytab Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: afs cell: unimelb.edu.au Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: no v5 creds for user 'rns', skipping session setup Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: pam_open_session returning 0 (Success) Sep 3 17:28:42 crashburn sshd[612]: (pam_afs_session): pam_sm_open_session: entry (0x0) Sep 3 17:28:42 crashburn sshd[612]: (pam_afs_session): skipping tokens, no Kerberos ticket cache Sep 3 17:28:42 crashburn sshd[612]: (pam_afs_session): pam_sm_open_session: exit (success) So it seems like pam_krb5 and pam-afs-session can't find the credentials cache. I'm not sure what order things are happening in here, and what the interactions between pam, kerberos and openssh are. Seems like I've tried just about every combination of parameters for openssh and pam but no luck. (I also tried setting "always_aklog" as a flag to pam-afs-session, but that made no difference). I've also seen a newer version of pam_krb5 (2.2.x) which supports flags "useshmem" and "external" that look helpful, but I was hoping not to need this as I'm trying to stick as much as possible with the vendor supplied packages (RHEL4 has pam_krb5-2.1.8-1). Ultimately I'm hoping to extend this configuration to Solaris 10 too .. Regards, Robert. _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info