[OpenAFS] pam and openafs 1.2.7 for RH 7.2
Marc Schmitt
schmitt@inf.ethz.ch
Tue, 08 Oct 2002 12:32:23 +0200
Hi Charles,
Thanks for your answer.
Charles Clancy wrote:
> If you compile --with-kerberos4 and --with-afs, OpenSSH should accept krb4
> TGTs, krb4 passwords, or AFS tokens for authentication. OpenSSH will also
> grab a PAG for you and run krb_afslog() when you log in. They still need
> enabled in your sshd_config.
I have AFSTokenPassing and KerberosTgtPassing enabled.
>
> PAM authentication and krb4 authentication in OpenSSH are completely
> independent. There's no reason why adding those options to ./configure
> would inhibit PAM from working. In fact, I've compiled and used both
> under the same sshd (though on Solaris).
>
> The only think I can possibly think of is that somehow there are library
> conflicts between the AFS and krb4 libraries statically linked into your
> OpenSSH, versus those statically linked to pam_afs.so, and things go wrong
> when OpenSSH (via libpam.so) dlopen's pam_afs.so.
What I found is that if I use use_klog in system-auth, it works.
I changed it from
auth sufficient /lib/security/pam_afs.krb.so try_first_pass
ignore_uid 100
to
auth sufficient /lib/security/pam_afs.krb.so try_first_pass
ignore_uid 100 use_klog
Does that make sense to you?
>
> Do other modules work with your kerberos-enabled version of OpenSSH?
I don`t know exactly what you mean by other modules.
>
> In theory, if you have kerberos4 authentication with AFS support, you
> don't need PAM. They shouldn't be mutually exclusive, but if they are, it
> shouldn't matter, because you only need one or the other.
What I have:
- AFS cell with kaserver
What I want to achieve is the following:
- when logging into the cluster from a machine outside the cluster with
ssh, I get prompted for the password, authenticating myself against
kaserver, once logged in, I have a token in the AFS cell (the home
directories are in AFS)
- once inside the cluster, I want to be able to ssh from one machine to
another machine inside the cluster w/o being prompted for a password and
with my token being forwarded
- logging in on the console (or XDM/GDM/KDM) of a cluster maschine
athenticates me against kaserver and creates a token
For that I need:
- PAM_AFS
- sshd with AFS support (and therefore kerberos4 support)
Right?
To come back to your statement about the statically linked libraries,
which versions go well together? I.e. what versions of krb4 and OpenSSH
are you using under Solaris?
When I tried plain OpenSSH-3.4p1-2 from RedHat, by just enabling
kerberos4 and afs, I didn`t get far (c.f.
http://msgs.securepoint.com/cgi-bin/get/openssh-unix-dev-0207/392/1.html).
Using the RPMs build by Jan Iven
(/afs/cern.ch/project/linux/redhat/cern/updates/7.2.1/SRPMS/openssh-3.4p1-5.cern.src.rpm),
which has some of those patches included, it started working. Anyway, I
still have to use use_klog in system-auth, otherwhise I have the problem
posted by Andi in the initial post.
Regards,
Marc