[OpenAFS] no tokens at login time via ssh

Kevin Scott Sumner ksumner@physics.unc.edu
Tue, 17 Oct 2006 15:48:15 -0400 (EDT)


After looking into this, I realize I misspoke.  We're still using the
default RedHat EL 3.0's sshd, as well as Debian's vendor binaries.  I
forgot that we want to be able to ssh to our machines if our fileservers
holding the packages aren't available because of
[your_favorite_disaster_here].  :)

On my development sarge/etch machines, common-auth looks like this:
[snip]
auth    optional        pam_krb5.so
auth    sufficient      pam_afs.so try_first_pass ignore_root
auth    sufficient      pam_unix.so try_first_pass likeauth nullok
auth    required        pam_deny.so
[/snip]

There are minor problems with this layering and some options, but nothing
security-related... that I can tell, anyway.  Our RHEL3 system-auth is a
bit more broken, but the same stacking.

I don't have the config info for RHEL or Debian in front of me, but neither
is linked against AFS, though RHEL's is linked against some krb5 libs:
libkrb5.so.3, libk5crypto.so.3, libgssapi_krb5.so.2

We're not doing ticket or token forwarding, so it doesn't matter to us
how sshd is compiled anyway -- pam handles the auth... at least, that's my
understanding.  Feel free to educate me, though.

Cheers,
Kevin
-----
Kevin Sumner
Assistant Unix Administrator
Physics and Astronomy Networking Infrastructure and Computing
University of North Carolina at Chapel Hill
ksumner@physics.unc.edu

On Tue, 17 Oct 2006, Daniel Clark wrote:

> On 10/17/06, Kevin Scott Sumner <ksumner@physics.unc.edu> wrote:
>
> > With just some configuration changes, the kdc authentication,
> > token-getting
> > and ticket-getting all worked out of the box once-upon a time... although,
> > we now have compiled our own version of ssh/sshd.
>
>
> This seems sort of unavoidable if you want to use some of the more advanced
> OpenAFS/Kerberos related features, esp. if you must support platforms other
> than Debian/Ubuntu.
>
> Do you happen to have specs of your OpenSSH compiles anywhere?
>
> I am also doing this; my work is up at [1]; I just got stuff to compile
> cleanly, but still need to test against Kerberos 5 / PAM / OpenAFS etc.
>
> [1] http://www.dclark.us/encaps/profiles/openssh-4.4p1.ep
>
> Cheers,
> -Danny
>
>
> --
>
>