[OpenAFS] ssh: obtaing token at login

Michael Lasevich openafslist@lasevich.net
Mon, 22 Jul 2002 12:22:17 -0700 

Don't know if you got the response to this yet, but here goes a bit of
information about PAM that may be confusing you:

You seem to be using RedHat or it's derivative, which uses the pam_stack pam
module. This allows for a centralized PAM control/configuration for multiple
services using /etc/pam.d/system-auth file. There is a tool called
"authconfig" on RedHat that is a text based "GUI" tool to configure your
system-wide PAM settings (and other authentication related configurations).
Start there.

Also. depending on your configuration, ssh daemon (I think) may use
/etc/pam.d/sshd or /etc/pam.d/login , but  both probably use
/etc/pam.d/system-auth to get their true configs.

Your best strategy is to use authconfig (WARNING, this may edit your KRB,
NIS, LDAP, etc. config files as needed) and then hand edit the config files
and /etc/pam.d/system-auth to fine tune it (if needed) - this will configure
proper AFS authentication for most applications using PAM. As an alternative
you may  remove system-auth from the /etc/pam.d/sshd (or login, depending on
your ssh config) and configure it standalone.

Now, I also run into some issues using AKLOG in an environment using a
windows ADC instead of a real KA, or a real KRB5 server. If you wish I can
post my currentl;y working version for that config.

-Michael


----- Original Message -----
From: "Andreas Buechler" <abuechle@fhzh.ch>
To: "openafs" <openafs-info@openafs.org>
Sent: Thursday, July 18, 2002 4:36 AM
Subject: [OpenAFS] ssh: obtaing token at login


> Hi all,
>
> still having problems getting automatically tokens after login. The
> problem is, that I dont get any token after sucssessfully login via ssh
> to my machine. If I try it with telnet its no problem I get a token
> automatically. My /etc/pam.d/sshd file looks like:
>
> ############################################
> #%PAM-1.0
>
> auth       sufficient   /lib/security/pam_unix.so
> auth       sufficient   /lib/security/pam_afs.so try_first_pass
> ignore_root
> auth       required     /lib/security/pam_nologin.so
>
> account    required     /lib/security/pam_stack.so service=system-auth
>
> password   required     /lib/security/pam_stack.so service=system-auth
>
> session    required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_limits.so
> session    optional     /lib/security/pam_console.so
> #############################################
>
> After login with ssh /var/log/messages shows:
>
> Jul 18 11:45:38 testpc sshd(pam_unix)[1717]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost  user=testuser
>
> Jul 18 11:45:38 testpc pam_afs[1718]: AFS Authentication failed for user
> testuser. password was incorrect
> Jul 18 11:45:38 testpc pam_afs[1719]: AFS Authentication failed for user
> testuser. password was incorrect
> Jul 18 11:45:38 testpc sshd(pam_unix)[1717]: session opened for user
> testuser by (uid=0)
> Jul 18 11:45:38 testpc pam_afs: AFS Authentication failed for user
> testuser. password was incorrect
>
> I dont understand why AFS says authentication failed, Im sure that I
> didnt misstype the password (tried it several times). And I also dont
> have any idea why its then working when I get a token manually with
> klog.
> Im reading "The Linux-PAM System Administrators Guide" now, but dont
> have any new ideas till now. If some else knows about other sources that
> could help me to better understand my problem, please let me know!
>
> Thanks, Andi
>
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>