[OpenAFS-devel] AFS and SSH once again

Atro Tossavainen atro.tossavainen+openafs@helsinki.fi
Fri, 16 Nov 2007 15:51:38 +0200 (EET)


As readers may remember, I've just updated a PowerPC machine to the
newest version of Yellow Dog Linux and was having a bit of a hard
time with AFS.

Now everything seems to be working.

One final point remains, though.  I can log in using AFS passwords,
but am not getting a token.  The distribution includes OpenSSH 4.3p2,
and whether set_token is included or not doesn't seem to matter.

Here is the /etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_afs.so setenv_password_expires ignore_root set_token debug
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

Here's the debug output from pam_afs:

Nov 16 15:47:14 x pam_afs[24497]: AFS Options: nowarn=0, use_first_pass=0, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 0, refresh_token=0, set_token=1, dont_fork=0, use_klog=0
Nov 16 15:47:14 x pam_afs[24497]: AFS Username = `y'
Nov 16 15:47:14 x pam_afs[24497]: AFS No first password for user y 
Nov 16 15:47:14 x pam_afs[24497]: New PAG created in pam_authenticate()
Nov 16 15:47:14 x pam_afs[24497]: forking ...
Nov 16 15:47:14 x pam_afs[24498]: in child
Nov 16 15:47:14 x pam_afs[24497]: in parent, waiting ...
Nov 16 15:47:14 x pam_afs[24498]: child: auth_ok=1
Nov 16 15:47:14 x pam_afs[24497]: parent: auth_ok=1
Nov 16 15:47:14 x pam_afs[24497]: leaving auth: auth_ok=1
Nov 16 15:47:14 x pam_afs: AFS Options: nowarn=0, use_first_pass=1, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 0, refresh_token=8, set_token=8, dont_fork=8, use_klog=8
Nov 16 15:47:14 x pam_afs: AFS Establishing creds for user y 
Nov 16 15:47:14 x pam_afs: AFS Trying first password for user y
Nov 16 15:47:14 x pam_afs: New PAG created in pam_setcred()
Nov 16 15:47:14 x pam_afs: AFS Options: nowarn=0, use_first_pass=1, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 0, refresh_token=8, set_token=8, dont_fork=8, use_klog=8
Nov 16 15:47:14 x pam_afs: AFS ReInitializing creds for user y 

As far as I can see, pam_afs is doing the right thing, but I don't
have a PAG nor any tokens in the session that results.  What gives?

Another really REALLY weird point is that I have the same problem on
Solaris 9... on SSH Corp SSH1 with Dug Song's SSH patches and KTH
krb4.  I'll probably just end up eliminating the problem in another
way, but am thinking it is really strange.

-- 
Atro Tossavainen (Mr.)               / The Institute of Biotechnology at
Systems Analyst, Techno-Amish &     / the University of Helsinki, Finland,
+358-9-19158939  UNIX Dinosaur     / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS