[OpenAFS] Re: ssh+afs logins fail on IRIX 6.5.15

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Wed, 29 May 2002 15:03:20 +0100


On Wed, May 29, 2002 at 09:21:03AM -0400, openafs-info-request@openafs.org wrote:
On Tue, 28 May 2002 15:42:58 -0400,
"David R. Steiner" <david.r.steiner@Dartmouth.EDU> wrote:
> I can build OpenSSH and it works fine when the user who is logging in 
> has a local account. When a user with an AFS account tries to log in, 
> however it fails with "Permission denied". AFS users can login ok 
> from the console.
> 
> Running 'sshd -d' on the server shows that the Kerberos 
> authentication fails with "Principal unknown" (see debug output 
> below).

This is a bug in OpenSSH, which has been reported and ignored
for a long time.  In auth-krb4.c you'll find a note saying

        * Now that we have a TGT, try to get a local
        * "rcmd" ticket to ensure that we are not talking
        * to a bogus Kerberos server.

I don't think this works with Transarc kaservers, and the symptoms
are as you describe.  I had to delete this section in my ssh source.
Also, since I presume you are using kth kerberos 4, be sure you have
the right entries in /etc/krb.conf and /etc/krb.realms.

     -- Owen
     LeBlanc@mcc.ac.uk