[OpenAFS] pam and openafs 1.2.7 for RH 7.2

Charles Clancy security@xauth.net
Mon, 7 Oct 2002 16:24:50 -0500 (CDT)


If you compile --with-kerberos4 and --with-afs, OpenSSH should accept krb4
TGTs, krb4 passwords, or AFS tokens for authentication. OpenSSH will also
grab a PAG for you and run krb_afslog() when you log in.  They still need
enabled in your sshd_config.

PAM authentication and krb4 authentication in OpenSSH are completely
independent.  There's no reason why adding those options to ./configure
would inhibit PAM from working.  In fact, I've compiled and used both
under the same sshd (though on Solaris).

The only think I can possibly think of is that somehow there are library
conflicts between the AFS and krb4 libraries statically linked into your
OpenSSH, versus those statically linked to pam_afs.so, and things go wrong
when OpenSSH (via libpam.so) dlopen's pam_afs.so.

Do other modules work with your kerberos-enabled version of OpenSSH?

In theory, if you have kerberos4 authentication with AFS support, you
don't need PAM.  They shouldn't be mutually exclusive, but if they are, it
shouldn't matter, because you only need one or the other.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]


On Sat, 5 Oct 2002, Marc Schmitt wrote:

> Hi Andi,
>
> Was the sshd version on the alpha machine built --with-afs?
>
> I`m seeing the problem you describe under RedHat 7.3 with
> openafs-1.2.7-rh7.3.1 and openssh-3.4p1-3 (what I changed between
> 3.4p1-2 and 3.4p1-3 is adding "--with-afs=/usr
> --with-kerberos4=/usr/athena" to the configure line, krb4 is version 1.2).
>
> If I use openssh-3.4p1-2, I get:
>
> Oct  5 19:35:14 otherhost sshd(pam_unix)[8281]: session opened for user
> testuser by (uid=0)
>
> If I use openssh-3.4p1-3, I get:
>
> Oct  5 19:47:42 otherhost pam_afs[15855]: AFS Authentication failed for
> user testuser. password was incorrect
> Oct  5 19:47:42 otherhost sshd(pam_unix)[15851]: check pass; user unknown
> Oct  5 19:47:42 otherhost sshd(pam_unix)[15851]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=somehost
>
> Looking at the debug output of sshd:
>
> With openssh-3.4p1-2:
>
> Oct  5 20:03:53 otherhost sshd[23253]: Failed none for testuser from
> 129.132.10.58 port 35551
> Oct  5 20:03:53 otherhost sshd[23253]: debug3: mm_request_receive entering
> Oct  5 20:03:56 otherhost sshd[23253]: debug3: monitor_read: checking
> request 10
> Oct  5 20:03:56 otherhost sshd[23253]: debug1: PAM Password
> authentication accepted for user "testuser"
> Oct  5 20:03:56 otherhost sshd[23253]: debug3: mm_answer_authpassword:
> sending result 1
> Oct  5 20:03:56 otherhost sshd[23253]: debug3: mm_request_send entering:
> type 11
> Oct  5 20:03:56 otherhost sshd[23253]: debug2: pam_acct_mgmt() = 0
> Oct  5 20:03:56 otherhost sshd[23253]: Accepted password for testuser
> from 129.132.10.58 port 35551
> Oct  5 20:03:56 otherhost sshd[23253]: debug1: monitor_child_preauth:
> testuser has been authenticated by privileged process
>
> and openssh-3.4p1-3:
>
> Oct  5 19:47:39 otherhost sshd[15851]: Failed none for testuser from
> 129.132.10.58 port 35528
> Oct  5 19:47:39 otherhost sshd[15851]: debug3: mm_request_receive entering
> Oct  5 19:47:42 otherhost sshd[15851]: debug3: monitor_read: checking
> request 10
> Oct  5 19:47:44 otherhost sshd[15851]: debug1: PAM Password
> authentication for "testuser" failed[7]: Authentication failure
> Oct  5 19:47:44 otherhost sshd[15851]: debug3: mm_answer_authpassword:
> sending result 0
> Oct  5 19:47:44 otherhost sshd[15851]: debug3: mm_request_send entering:
> type 11
> Oct  5 19:47:44 otherhost sshd[15851]: Failed password for testuser from
> 129.132.10.58 port 35528
>
> PAM authentication fails... but why? Nothing has changed in
> /etc/pam.d/system-auth nor /etc/pam.d/sshd between the two tests.
> Looks like AFS support in OpenSSH bites pam AFS authentication...
>
> Regards,
> 	Marc
>
>
> Andreas Buechler wrote:
> > Hello,
> >
> > I just installed openafs 1.2.7 on a alpha machine. Everything worked fine
> > (rebuilding and installing the rpm's) and at the end I was told to change
> > the files cacheinfo and ThisCell. I changed both files, now I am able to
> > get tokens etc as root for any afs-user. To be able to login and get a
> > token automatically I changed /etc/pam.d/system-auth as discribed at the end of the
> > installation.
> > Does anybody have an idea why I still cant login via ssh as an afs-user?
> > I posted my  sshd and system-auth pam-files at the end of this mail.
> >
> > Thanks for any help and sorry if this message was posted twice!
> >
> > Andi
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>