[OpenAFS] ticket/token forwarding debian - info

Russ Allbery rra@stanford.edu
Fri, 31 Mar 2006 10:10:09 -0800

Christopher D Clausen <cclausen@acm.org> writes:
> Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:

>> After some time with krb5 and pam working but with no ticket forwarding
>> I want to set that up.  Anyone got krb5-ticket forwarding with
>> automatic token generation on remote debian pc running and has tips for
>> me to set this up?

> https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian

> And you want to install libpam-openafs-session and add it to the 
> appropriate PAM config files as well.  The ssh-krb5 package should by 
> default always run through the PAM routines, even when using forwarded 
> credentials so that you always get tokens.

Note that in etch you'll be able to just use openssh-server and
openssh-client, as the main OpenSSH package has now incorporated the
GSSAPI fixes.

> I can post my PAM configs as well if that is desired, but I basically 
> copied ones I found in various mailing list archive posts, 
> http://mailman.mit.edu/pipermail/kerberos/2004-October/006621.html

The README.Debian installed with openafs-client, at least the etch
version, has the following section in it now.  Note that the ignore_root
option is new in the libpam-krb5 module in etch and you need the etch
version of libpam-krb5 for everything to work properly with
ChallengeResponseAuthentication in ssh (PasswordAuthentication is more

PAM Authentication

  Any new OpenAFS cell is strongly encouraged to use Kerberos v5 for
  authentication.  If you want PAM to automatically obtain AFS credentials
  and you are using Kerberos v5, you will want to install the libpam-krb5
  and libpam-openafs-session packages and then put something like the
  following in /etc/pam.d/common-auth:

      auth    [success=ok default=1]  pam_krb5.so ignore_root
      auth    [default=done]          pam_openafs_session.so
      auth    required                pam_unix.so nullok_secure try_first_pass

  and something like the following in /etc/pam.d/common-session:

      session optional        pam_krb5.so ignore_root
      session optional        pam_openafs_session.so
      session required        pam_unix.so

  You'll probably also want the following in /etc/pam.d/common-account:

      account required        pam_krb5.so ignore_root
      account required        pam_unix.so

  There are, of course, many variations depending on what different
  mechanism you want to use and how you want to handle fallbacks.

  If you are still using Kerberos v4 and the OpenAFS kaserver (or a KDC
  that understands the same protocol) for authentication, you can instead
  use the libpam-openafs-kaserver package and a configuration like:

      auth    sufficient      pam_afs.so ignore_root
      auth    required        pam_unix.so nullok_secure try_first_pass

  in /etc/pam.d/common-auth and:

      session optional        pam_afs.so
      session required        pam_unix.so

  in /etc/pam.d/common-session.  Use pam_afs.krb.so instead of pam_afs.so
  if you also want the PAM module to acquire a ticket cache for you.  If
  using this configuration with sshd, you may need to disable privilege
  separation to get everything working properly.  I've had mixed results
  with that.  Obviously, converting to Kerberos v5 authentication is
  strongly preferred.

  If you are using the kaserver as your KDC, you may also want to install
  the openafs-kpasswd package to get the administrative utilities for
  managing those Kerberos accounts.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>