[OpenAFS] Some questions (gssklog, openssh)
Douglas E. Engert
deengert@anl.gov
Tue, 30 Sep 2003 16:51:56 -0500
David Ferch wrote:
>
> Hello there,
>
> I'm using OpenAFS 1.2.10 on Solaris 8/9 here. Two servers using SEAM for
> Kerberos 5 authentication. The same two servers run openafs - so I can't
> get an afs token direct at my clients, because the SEAM daemons using
> ports 88 and 750. I implemented gssklog daemon and it runs fine. But I
> can't get mod_gssklog work.
You mean pam_gssklog?
> It does nothing. I compiled it for 32 and
> 64bit.
> Here's what I added to /etc/pam.conf:
>
> login auth requisite pam_authtok_get.so.1
> login auth required pam_unix_auth.so.1
> login auth optional pam_krb5.so.1 try_first_pass
> login auth optional /opt/krb5/lib/security/pam_gssklog.so.1
First of al try adding debug as an option to the above line.
The pam_gssklog will then write to syslog soe eror messages. This
will show if it is being called.
>
> I modified the sources to point to /opt/krb5/bin/gssklog. Now pam_krb5
> get's an ticket and create /tmp/krb5c_<uid>. But pam_gssklog can't get an
> token.
Do you mean /tmp/krb5cc_<uid> i.e. two "c" for "Credential Cache".
This is most likly the OpenSSH 3.7.1p2 PAM problem, that the PAM does
not set the environment. So the KRB5CCNAME is not passed.
The pam_gssklog.c has some code #ifdef'ed for HPUX where PAM does not pass the
environment. You might wnat to look at this it would allow you to do something like this:
login auth optional /opt/krb5/lib/security/pam_gssklog.so.1 -cache /tmp/krb5c_%u
Was the gssklog linked against the SEAM gss? If not what GSS?
>
> Second question: I've got OpenSSH 3.7.1p2 work with patch from bugzilla
> (someone posted it last week). Now kerberos credential forwarding and
> authentication via gssapi works. But, how can I get an afs token for
> writing the X11 token to ~/.Xauthority.
That is what pam_gssklog should be doing.
I have a ~/.ssh/rc and a ~/.ssh/rc.csh
#!/bin/sh
# openssh calls rc with sh, but mine was csh
# so use csh instead
/bin/csh $HOME/.ssh/rc.csh
#!/bin/csh
# SSH $HOME/.ssh/rc.csh file which is passed in stdin
# the XAUTH proto and data.
#
set path = (/usr/openwin/bin /usr/bin/X11 $path)
set parms = $<
xauth -q -i add $DISPLAY $parms
Note that this sets the Xauthority.
>Yes, I created ~/.ssh/environement
> and set XAUTHORITY=/afs/.domain.net/users/dferch/.public/.Xauthority. The
> path .public is writeable to system:anyone.
That is a security problem.
> OpenSSH allow userenvironments
> (in sshd_config). But X11 forwarding won't work. SSHD complains about
> writing to /afs/.domain.net/users/dferch/.Xauthority. I don't know why.
Sounds like it does not have the token yet.
> Maybe someone who gets it working can help me.
>
> Oh, last question. Last week one of the two servers (with the lower ip .4
> - only readonly copies) comes unavailable. After 10 minutes I can't access
> my cell from clients. I've got "/afs: no such file or directory". The
> second servers ip is .6 and it has all rw-volumes on it). I can't find
> something about this failure. Does someone knows about ?
>
> Thank you for your help.
>
> cu
> David
>
> --
> Against TCPA - nothing fights like the opposition
> http://www.againsttcpa.com
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444