[OpenAFS] pam and openafs 1.2.7 for RH 7.2

Marc Schmitt schmitt@inf.ethz.ch
Sat, 05 Oct 2002 20:19:44 +0200 

Hi Andi,

Was the sshd version on the alpha machine built --with-afs?

I`m seeing the problem you describe under RedHat 7.3 with 
openafs-1.2.7-rh7.3.1 and openssh-3.4p1-3 (what I changed between 
3.4p1-2 and 3.4p1-3 is adding "--with-afs=/usr 
--with-kerberos4=/usr/athena" to the configure line, krb4 is version 1.2).

If I use openssh-3.4p1-2, I get:

Oct  5 19:35:14 otherhost sshd(pam_unix)[8281]: session opened for user 
testuser by (uid=0)

If I use openssh-3.4p1-3, I get:

Oct  5 19:47:42 otherhost pam_afs[15855]: AFS Authentication failed for 
user testuser. password was incorrect
Oct  5 19:47:42 otherhost sshd(pam_unix)[15851]: check pass; user unknown
Oct  5 19:47:42 otherhost sshd(pam_unix)[15851]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=somehost

Looking at the debug output of sshd:

With openssh-3.4p1-2:

Oct  5 20:03:53 otherhost sshd[23253]: Failed none for testuser from 
129.132.10.58 port 35551
Oct  5 20:03:53 otherhost sshd[23253]: debug3: mm_request_receive entering
Oct  5 20:03:56 otherhost sshd[23253]: debug3: monitor_read: checking 
request 10
Oct  5 20:03:56 otherhost sshd[23253]: debug1: PAM Password 
authentication accepted for user "testuser"
Oct  5 20:03:56 otherhost sshd[23253]: debug3: mm_answer_authpassword: 
sending result 1
Oct  5 20:03:56 otherhost sshd[23253]: debug3: mm_request_send entering: 
type 11
Oct  5 20:03:56 otherhost sshd[23253]: debug2: pam_acct_mgmt() = 0
Oct  5 20:03:56 otherhost sshd[23253]: Accepted password for testuser 
from 129.132.10.58 port 35551
Oct  5 20:03:56 otherhost sshd[23253]: debug1: monitor_child_preauth: 
testuser has been authenticated by privileged process

and openssh-3.4p1-3:

Oct  5 19:47:39 otherhost sshd[15851]: Failed none for testuser from 
129.132.10.58 port 35528
Oct  5 19:47:39 otherhost sshd[15851]: debug3: mm_request_receive entering
Oct  5 19:47:42 otherhost sshd[15851]: debug3: monitor_read: checking 
request 10
Oct  5 19:47:44 otherhost sshd[15851]: debug1: PAM Password 
authentication for "testuser" failed[7]: Authentication failure
Oct  5 19:47:44 otherhost sshd[15851]: debug3: mm_answer_authpassword: 
sending result 0
Oct  5 19:47:44 otherhost sshd[15851]: debug3: mm_request_send entering: 
type 11
Oct  5 19:47:44 otherhost sshd[15851]: Failed password for testuser from 
129.132.10.58 port 35528

PAM authentication fails... but why? Nothing has changed in 
/etc/pam.d/system-auth nor /etc/pam.d/sshd between the two tests.
Looks like AFS support in OpenSSH bites pam AFS authentication...

Regards,
	Marc


Andreas Buechler wrote:
> Hello,
> 
> I just installed openafs 1.2.7 on a alpha machine. Everything worked fine
> (rebuilding and installing the rpm's) and at the end I was told to change
> the files cacheinfo and ThisCell. I changed both files, now I am able to
> get tokens etc as root for any afs-user. To be able to login and get a
> token automatically I changed /etc/pam.d/system-auth as discribed at the end of the
> installation.
> Does anybody have an idea why I still cant login via ssh as an afs-user?
> I posted my  sshd and system-auth pam-files at the end of this mail.
> 
> Thanks for any help and sorry if this message was posted twice!
> 
> Andi