Re: [OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4
Has a bug report on this particular issue been filed with redhat? On Mon, Sep 03, 2007 at 10:40:09AM -0700, Russ Allbery wrote: Robert Sturrock [EMAIL PROTECTED] writes: I have a question about pam-afs-session, although my problem may actually be more related to Openssh and Kerberos. I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it seems to work fine, provided I use pam to do the authentication rather than openssh. This means typing my password even though I've already got a ticket on my workstation. However, I would ideally like to let openssh do the authentication (ie. set GSSAPIAuthentication yes in /etc/ssh/sshd_config). The client can forward Kerberos credentials and (hopefully) pam-afs-session can turn that into a token. Is such a setup possible? Yes, I use it all the time on Debian. However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the PAM session hooks and *then* saves the ticket cache. This is obviously broken and has been fixed in later versions of sshd, but I don't believe Red Hat has fixed it in an update. pam-afs-session can't do anything about this; at the time that it's called, no ticket cache is available because sshd hasn't written it out yet. If this is the problem that I remember, there isn't any real solution other than replacing sshd with a fixed version, but you can work around it by adding a call to aklog to the system shell initialization files. The user's PAG is created correctly; the only problem is that aklog is never run. I've also seen a newer version of pam_krb5 (2.2.x) which supports flags useshmem and external that look helpful, but I was hoping not to need this as I'm trying to stick as much as possible with the vendor supplied packages (RHEL4 has pam_krb5-2.1.8-1). Won't help for this case, since sshd will still hold on to the ticket cache for too long and PAM won't see it. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- David William Botsch Programmer/Analyst CNF Computing [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4
On Mon, Sep 03, 2007 at 10:40:09AM -0700, Russ Allbery wrote: However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the PAM session hooks and *then* saves the ticket cache. On Sep 5, 2007, at 2:04 PM, Dave Botsch wrote: Has a bug report on this particular issue been filed with redhat? Yes, see https://bugzilla.redhat.com/show_bug.cgi?id=246619 though bug #216689, of which #246619 is classified as a duplicate, seems to be protected and the issue persists on my RHEL4u5 machines. -- Ian Ward Comfort [EMAIL PROTECTED] System Administrator, Student Computing, Stanford University ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4
Hi all. I have a question about pam-afs-session, although my problem may actually be more related to Openssh and Kerberos. I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it seems to work fine, provided I use pam to do the authentication rather than openssh. This means typing my password even though I've already got a ticket on my workstation. However, I would ideally like to let openssh do the authentication (ie. set GSSAPIAuthentication yes in /etc/ssh/sshd_config). The client can forward Kerberos credentials and (hopefully) pam-afs-session can turn that into a token. Is such a setup possible? In trying to set this up, I've used these settings in sshd_config: ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication yes UsePAM yes .. and /etc/pam.d/system-auth looks like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok auth[success=ok default=1] /lib/security/$ISA/pam_krb5.so auth[default=done] /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog debug authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient/lib/security/$ISA/pam_krb5.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet account required /lib/security/$ISA/pam_permit.so passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/$ISA/pam_krb5.so passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so session required /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog debug When I login to the machine with this configuration, I get my Kerberos ticket propagated ok, but no token, and some messages in syslog: $ klist Ticket cache: FILE:/tmp/krb5cc_10846_QyS612 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 09/03/07 17:28:42 09/03/07 19:37:42 krbtgt/[EMAIL PROTECTED] renew until 09/03/07 09:38:26 Kerberos 4 ticket cache: /tmp/tkt10846 klist: You have no tickets cached $ tokens Tokens held by the Cache Manager: --End of list-- Sep 3 17:28:42 crashburn sshd(pam_unix)[612]: session opened for user rns by (uid=0) Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: configured realm 'UNIMELB.EDU.AU' Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flags: forwardable Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: no ignore_afs Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: user_check Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: no krb4_convert Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: warn Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: ticket lifetime: 36000 Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: renewable lifetime: 36000 Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: banner: Kerberos 5 Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: ccache dir: /tmp Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: keytab: /etc/krb5.keytab Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: afs cell: unimelb.edu.au Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: no v5 creds for user 'rns', skipping session setup Sep 3 17:28:42 crashburn sshd[612]: pam_krb5[612]: pam_open_session returning 0 (Success) Sep 3 17:28:42 crashburn sshd[612]: (pam_afs_session): pam_sm_open_session: entry (0x0) Sep 3 17:28:42 crashburn sshd[612]: (pam_afs_session): skipping tokens, no Kerberos ticket cache Sep 3 17:28:42 crashburn sshd[612]: (pam_afs_session): pam_sm_open_session: exit (success) So it seems like pam_krb5 and pam-afs-session can't find the credentials cache. I'm not sure what order things are happening in here, and what the interactions between pam, kerberos and openssh are. Seems like I've tried just about every combination of parameters for openssh and pam but no luck. (I also tried setting always_aklog as a flag to pam-afs-session, but that made no difference). I've also seen a newer version of pam_krb5 (2.2.x) which supports flags useshmem and external that look helpful, but I was hoping not to need this as I'm trying to stick as much as possible with the vendor supplied packages (RHEL4 has pam_krb5-2.1.8-1). Ultimately I'm hoping to extend this configuration
Re: [OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4
On Sep 3, 2007, at 10:40 AM, Russ Allbery wrote: Robert Sturrock [EMAIL PROTECTED] writes: I have a question about pam-afs-session, although my problem may actually be more related to Openssh and Kerberos. I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it seems to work fine, provided I use pam to do the authentication rather than openssh. This means typing my password even though I've already got a ticket on my workstation. However, I would ideally like to let openssh do the authentication (ie. set GSSAPIAuthentication yes in /etc/ssh/sshd_config). The client can forward Kerberos credentials and (hopefully) pam- afs-session can turn that into a token. Is such a setup possible? Yes, I use it all the time on Debian. However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the PAM session hooks and *then* saves the ticket cache. This is obviously broken and has been fixed in later versions of sshd, but I don't believe Red Hat has fixed it in an update. pam-afs- session can't do anything about this; at the time that it's called, no ticket cache is available because sshd hasn't written it out yet. That's correct. I believe this bug was fixed for OpenSSH 4.0+. RHEL4 ships a patched OpenSSH 3.9p1, but does not include the fix for this bug. I put a call to aklog in .bash_profile on all my RHEL boxes, as Russ suggests, though that's obviously a less than ideal arrangement. -- Ian Ward Comfort [EMAIL PROTECTED] System Administrator, Student Computing, Stanford University ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info