[OpenAFS] no tokens at login time via ssh

Kevin Scott Sumner ksumner@physics.unc.edu
Tue, 17 Oct 2006 11:51:54 -0400 (EDT)


Andreas,

We're running RHEL 3 (various update) clients and I've got a few personal
Debian etch boxes getting PAGs and tokens on login.  We also use MIT
Kerberos 5 KDCs for authentication.

A few things to look out for/check:
-- There may be a seperate PAM config file for sshd in /etc/pam.d.  (Or,
perhaps, another section in pam.conf -- it's this way in Solaris 9's
slightly monolithic pam.conf)
-- In sshd_config, you can try setting your UsePrivilegeSeparation opposite
of what you have.  This caused us problems for us and I can't remember
which way worked.
-- Lastly, I had to run sshd in non-daemon/debug mode when setting up
the Debian boxes... or maybe I was stracing/lsof'ng???  At any rate, one
of these will let you know when pam_afs gets referenced/loaded by sshd, if
at all.  I'm pretty sure it was sshd in debug mode...  (-d option -- check
the man page for more info.)

With just some configuration changes, the kdc authentication, token-getting
and ticket-getting all worked out of the box once-upon a time... although,
we now have compiled our own version of ssh/sshd.

Hope this helps.

Cheers,
Kevin
-----
Kevin Sumner
Assistant Unix Administrator
Physics and Astronomy Networking Infrastructure and Computing
University of North Carolina at Chapel Hill
ksumner@physics.unc.edu

"Imagination is more important than knowledge.
For knowledge is limited, whereas imagination
embraces the entire world, stimulating progress,
giving birth to evolution."
  -Albert Einstein

On Tue, 17 Oct 2006, Andreas Donath wrote:

> Hello,
>
> I'm trying to get sshd running in a way that
> it generates tokens at login-time when
> users provide their passwords.
>
> Here are the client parameters:
>
> Platform: 	i386 Fedora Core 5
> Kernel:		2.6.17-1.2187_FC5smp
> Client-RPMS from ATRpms:
>
> openafs-kmdl-2.6.17-1.2187_FC5smp-1.4.1-17.fc5.at
> openafs-client-1.4.1-17.fc5.at
> openafs-1.4.1-17.fc5.at
>
> openssh-clients-4.3p2-4.10
> openssh-server-4.3p2-4.10
>
> For the purpose of logging in and token-creation,
> I modified /etc/pam.d/system-auth the usual way:
>
> [snip]
> auth        required      pam_env.so
> auth        sufficient    /lib/security/pam_afs.krb.so ignore_root
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
> [snip]
>
> This works fine e.g. for logging on from the console or gdm, but
> via ssh it fails the way, that I get in, but without a token.
>
> I searched the web and the mail-archives and I found the "use_klog"
> option for pam_afs.krb.so. Trying this one resulted in:
>
> pam_afs[2788]: can not access klog program '/usr/afsws/bin/klog'
>
> After installing the openafs-compat-1.4.1-fc5.1.rpm the error messages
> disappeared but a token won't get created still.
>
> My sshd_config looks like this:
>
>
> #	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
>
> #Port 22
> #Protocol 2,1
> Protocol 2
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 768
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile	.ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> PasswordAuthentication yes
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication mechanism.
> # Depending on your PAM configuration, this may bypass the setting of
> # PasswordAuthentication, PermitEmptyPasswords, and
> # "PermitRootLogin without-password". If you just want the PAM account and
> # session checks to run without PAM authentication, then enable this but set
> # ChallengeResponseAuthentication=no
> #UsePAM no
> UsePAM yes
>
> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation no
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #ShowPatchLevel no
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
>
> # no default banner path
> #Banner /some/path
>
> # override default of no subsystems
> Subsystem	sftp	/usr/libexec/openssh/sftp-server
>
> -----------------------
>
> I'm not sure what the KerberosGetAFSToken option does,
> anyway, switching it to yes resulted in a "Unsupported option"-error.
> (We run the openafs kasserver).
>
> What do I miss here?
> Would I have to build sshd and openafs on my own, with
> special parameters set?
> Are there other options to be used?
>
> Any help is highly appreciated.
>
> Andreas
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
> --
>
>