[OpenAFS] pam and openafs 1.2.7 for RH 7.2

[Marc Schmitt]

Hi Charles,

Thanks for your answer.

Charles Clancy wrote:
> If you compile --with-kerberos4 and --with-afs, OpenSSH should accept krb4
> TGTs, krb4 passwords, or AFS tokens for authentication. OpenSSH will also
> grab a PAG for you and run krb_afslog() when you log in.  They still need
> enabled in your sshd_config.

I have AFSTokenPassing and KerberosTgtPassing enabled.

> 
> PAM authentication and krb4 authentication in OpenSSH are completely
> independent.  There's no reason why adding those options to ./configure
> would inhibit PAM from working.  In fact, I've compiled and used both
> under the same sshd (though on Solaris).
> 
> The only think I can possibly think of is that somehow there are library
> conflicts between the AFS and krb4 libraries statically linked into your
> OpenSSH, versus those statically linked to pam_afs.so, and things go wrong
> when OpenSSH (via libpam.so) dlopen's pam_afs.so.

What I found is that if I use use_klog in system-auth, it works.
I changed it from

auth        sufficient    /lib/security/pam_afs.krb.so try_first_pass 
ignore_uid 100

to

auth        sufficient    /lib/security/pam_afs.krb.so try_first_pass 
ignore_uid 100 use_klog

Does that make sense to you?

> 
> Do other modules work with your kerberos-enabled version of OpenSSH?

I don`t know exactly what you mean by other modules.

> 
> In theory, if you have kerberos4 authentication with AFS support, you
> don't need PAM.  They shouldn't be mutually exclusive, but if they are, it
> shouldn't matter, because you only need one or the other.

What I have:
- AFS cell with kaserver

What I want to achieve is the following:
- when logging into the cluster from a machine outside the cluster with 
ssh, I get prompted for the password, authenticating myself against 
kaserver, once logged in, I have a token in the AFS cell (the home 
directories are in AFS)
- once inside the cluster, I want to be able to ssh from one machine to 
another machine inside the cluster w/o being prompted for a password and 
with my token being forwarded
- logging in on the console (or XDM/GDM/KDM) of a cluster maschine 
athenticates me against kaserver and creates a token

For that I need:
- PAM_AFS
- sshd with AFS support (and therefore kerberos4 support)
Right?


To come back to your statement about the statically linked libraries, 
which versions go well together? I.e. what versions of krb4 and OpenSSH 
are you using under Solaris?

When I tried plain OpenSSH-3.4p1-2 from RedHat, by just enabling 
kerberos4 and afs, I didn`t get far (c.f. 
http://msgs.securepoint.com/cgi-bin/get/openssh-unix-dev-0207/392/1.html). 
Using the RPMs build by Jan Iven 
(/afs/cern.ch/project/linux/redhat/cern/updates/7.2.1/SRPMS/openssh-3.4p1-5.cern.src.rpm), 
which has some of those patches included, it started working. Anyway, I 
still have to use use_klog in system-auth, otherwhise I have the problem 
posted by Andi in the initial post.


Regards,
	Marc