[OpenAFS] pam and openafs 1.2.7 for RH 7.2

Charles Clancy security@xauth.net
Tue, 8 Oct 2002 10:14:49 -0500 (CDT) 

> > The only think I can possibly think of is that somehow there are
> > library conflicts between the AFS and krb4 libraries statically linked
> > into your OpenSSH, versus those statically linked to pam_afs.so, and
> > things go wrong when OpenSSH (via libpam.so) dlopen's pam_afs.so.
>
> ...
>
> auth        sufficient    /lib/security/pam_afs.krb.so try_first_pass
> ignore_uid 100 use_klog
>
> Does that make sense to you?

If you tell pam_afs to "use_klog" then it's no longer calling the AFS
libraries at run-time -- it just execvp's your klog binary.  This would
support the argument that sshd-with-AFS-support's linked in AFS libraries
were causing a conflict for pam_afs, which presumably is calling the same
AFS functions.

> > Do other modules work with your kerberos-enabled version of OpenSSH?
>
> I don`t know exactly what you mean by other modules.

pam_unix.so

> What I want to achieve is the following:
> - when logging into the cluster from a machine outside the cluster with
> ssh, I get prompted for the password, authenticating myself against
> kaserver, once logged in, I have a token in the AFS cell (the home
> directories are in AFS)
> - once inside the cluster, I want to be able to ssh from one machine to
> another machine inside the cluster w/o being prompted for a password and
> with my token being forwarded
> - logging in on the console (or XDM/GDM/KDM) of a cluster maschine
> athenticates me against kaserver and creates a token

I have done exactly this for an AFS-based Beowulf cluster running LAM-MPI.

> For that I need:
> - PAM_AFS
> - sshd with AFS support (and therefore kerberos4 support)
> Right?

In theory, you could do it all with sshd with krb4 and AFS support.  If it
doesn't get a TGT, sshd should ask for a password and do password-based
krb4 authentication.  Then, it should grab a PAG and an AFS token for you.
If it does get a TGT or an AFS token, it should let you through without
asking for your password.  Check out openssh/auth-krb4.c for the fun
details.

To be honest, when I tried to implement this, I couldn't get it to work,
so I cheated.  I compiled OpenSSH with kerberos support (but NOT AFS
support).  Then, I used pam_afs.krb.so.  In the user login script, I ran
/usr/local/athena/bin/afslog.  Since all the AFS stuff lives in an
external binary (afslog), there are no conflicts with pam_afs.

So, first login, no TGT is sent, and they are sent to pam_afs.krb for
password authentication.  Password is correct, they get an AFS token.  The
feature of pam_afs.krb is that you'll also end up with a krb4 TGT.  Then,
if you ssh into another cluster machine, your TGT will let you in without
a password.  The afslog in the login script then grabs an AFS token with
your TGT.

> To come back to your statement about the statically linked libraries,
> which versions go well together? I.e. what versions of krb4 and OpenSSH
> are you using under Solaris?

Hmm... it's been almost two years since I did this.  For security reasons,
you wouldn't want to run those versions anyway.

I wish I had some extra time -- If I did, I'd submit patches to fix
OpenSSH's semi-broken AFS support, and maybe even include krb5-afs
support.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
[ crypto ]---[ coordinated science lab ]---[ university of illinois ]