[OpenAFS] Some questions (gssklog, openssh)

Douglas E. Engert deengert@anl.gov
Tue, 30 Sep 2003 16:51:56 -0500

David Ferch wrote:
> Hello there,
> I'm using OpenAFS 1.2.10 on Solaris 8/9 here. Two servers using SEAM for
> Kerberos 5 authentication. The same two servers run openafs - so I can't
> get an afs token direct at my clients, because the SEAM daemons using
> ports 88 and 750. I implemented gssklog daemon and it runs fine. But I
> can't get mod_gssklog work. 

You mean pam_gssklog?

> It does nothing. I compiled it for 32 and
> 64bit.
> Here's what I added to /etc/pam.conf:
> login  auth requisite   pam_authtok_get.so.1
> login  auth required    pam_unix_auth.so.1
> login  auth optional    pam_krb5.so.1 try_first_pass
> login  auth optional    /opt/krb5/lib/security/pam_gssklog.so.1

First of al try adding debug as an option to the above line.
The pam_gssklog will then write to syslog soe eror messages. This
will show if it is being called. 

> I modified the sources to point to /opt/krb5/bin/gssklog. Now pam_krb5
> get's an ticket and create /tmp/krb5c_<uid>. But pam_gssklog can't get an
> token.

Do you mean /tmp/krb5cc_<uid> i.e. two "c" for "Credential Cache".

This is most likly the OpenSSH 3.7.1p2 PAM problem, that the PAM does 
not set the environment. So the KRB5CCNAME is not passed. 

The pam_gssklog.c has some code #ifdef'ed for HPUX where PAM does not pass the
environment. You might wnat to look at this it would allow you to do something like this:  

login  auth optional    /opt/krb5/lib/security/pam_gssklog.so.1 -cache /tmp/krb5c_%u

Was the gssklog linked against the SEAM gss? If not what GSS?

> Second question: I've got OpenSSH 3.7.1p2 work with patch from bugzilla
> (someone posted it last week). Now kerberos credential forwarding and
> authentication via gssapi works. But, how can I get an afs token for
> writing the X11 token to ~/.Xauthority. 

That is what pam_gssklog should be doing. 

I have a ~/.ssh/rc and a ~/.ssh/rc.csh 

# openssh calls rc with sh, but mine was csh
# so use csh instead
/bin/csh $HOME/.ssh/rc.csh

# SSH $HOME/.ssh/rc.csh file which is passed in stdin 
# the XAUTH proto and data. 
set path = (/usr/openwin/bin /usr/bin/X11 $path)
set parms = $<
xauth -q -i add $DISPLAY $parms

Note that this sets the Xauthority. 

>Yes, I created ~/.ssh/environement
> and set XAUTHORITY=/afs/.domain.net/users/dferch/.public/.Xauthority. The
> path .public is writeable to system:anyone.

That is a security problem. 

> OpenSSH allow userenvironments
> (in sshd_config). But X11 forwarding won't work. SSHD complains about
> writing to /afs/.domain.net/users/dferch/.Xauthority. I don't know why.

Sounds like it does not have the token yet.

> Maybe someone who gets it working can help me.
> Oh, last question. Last week one of the two servers (with the lower ip .4
> - only readonly copies) comes unavailable. After 10 minutes I can't access
> my cell from clients. I've got "/afs: no such file or directory". The
> second servers ip is .6 and it has all rw-volumes on it). I can't find
> something about this failure. Does someone knows about ?
> Thank you for your help.
> cu
> David
> --
> Against TCPA - nothing fights like the opposition
> http://www.againsttcpa.com
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444