[OpenAFS] AFS tokens, PAM and FTP
Chris Crowther
chrisc@shad0w.org.uk
Fri, 27 Jun 2003 09:18:50 +0100
On Friday 27 Jun 2003 2:09 am, you wrote:
> Are you _sure_ pam_openafs_session is getting you a token? A "session" is
> typically defined as a tty being allocated, thus I wouldn't expect an ftp
> daemon to call the session PAM modules.
Other sollutions are welcome. I'm wondering though if it's getting a token
but the token is getting destroyed when the PAM module exits...
> Could proftpd be trying to cd into the directory before it's done
> authenticating (perhaps looking for some .proftp file, or something)?
> What if you set the user's shell to / temporarily, FTP in, and then see if
> they can cd into that directory once you're 100% sure the authentication
> is done.
Jun 27 09:02:21 gargamel proftpd[10845]: pam_openafs-krb5: open_session:
fork..
Jun 27 09:02:21 gargamel proftpd[10846]: pam_openafs-krb5: ENVIRONNEMENT:
KRB5CCNAME=/tmp/krb5cc_h5dEHn
Jun 27 09:02:23 gargamel proftpd[10845]: pam_openafs-krb5: KRB5 OPENSESSION:
OK !
Jun 27 09:02:28 gargamel proftpd[10845]: gargamel.jm-crowther.co.uk
(ricci.shad0w.org.uk[10.0.1.2]) - chrisc
chdir("/afs/jm-crowther.co.uk/user/chrisc"): Permission denied
The chdir() is after pam_openafs-krb5 (which is pam_openafs_session, debian
just changes the module name) has said it's OK, ie it got a token. If you
look at the auth logs for kerberos you also get:
Jun 27 09:02:21 gargamel krb5kdc[386]: TGS_REQ (1 etypes {1}) 10.0.0.247(88):
ISSUE: authtime 1056700940, etypes {rep=16 tkt=1 ses=1},
chrisc@JM-CROWTHER.CO.UK for afs/jm-crowther.co.uk@JM-CROWTHER.CO.UK
Which suggests it issued the token.
To check though I changed the ACL on my $HOME temporarily so it could cd in
without a token, then tried to cd into some other directory that requires
tokens to access (the web directory in this case):
ftp> cd /afs/jm-crowther.co.uk/web/
550 web: Permission denied
> I've used proftpd with AFS via PAM in the past, but it was not in a krb5
> environment.
I don't think krb5 should make any difference - that part I know *is*
completeing fine since I can login via FTP so long as the ACL doesn't stop me
doing a chdir() into the home directory.
--
Chris "_Shad0w_" Crowther
chrisc@shad0w.org.uk
http://www.shad0w.org.uk/