[OpenAFS-devel] Re: [OpenAFS] AFS / PAM / SSH / (w/o Kerberos)

Douglas E. Engert deengert@anl.gov
Fri, 10 Dec 2004 16:19:00 -0600 

TOBx wrote:

>>>
>>> Has anyone a good documentation of the pam_afs-Module? It seems to 
>>> me, as
>>> if
>>> the parameters one can set for the module aren't making a difference?
>>
>> [EC] Maybe you should try to compile SSH with PAM support.
> 
> 
> I did this. But it doesn't help.
> 
> In /etc/pam.d/sshd I added the option 'debug' to the pam_afs.so.2-module.
> So I get nice info about what the pam-module does when I try to log in.
> SSH tries to authenticate the user (with username and passwd) 2 (!) times.
> While the first time it seems as if the auth is successful, the second 
> try prints a message like "unable to get the passwd from pam". ;-(
> (Unfortunately I#m currently not at work and so I'm unable to attache 
> the log... but I can send it, if someone cares for the exact message.)
> 

The problem is most likly that a token and PAG may be obtained, but under
the wrong process, because of the Priv Sep code.

> After googling for quite a long time I found some information about an 
> AFS support for SSH.
> But as far as I know, there is a __little__ Problem with this. It's 
> deprecated. ;-(
> 
> Was this the support  of the AFS-Token__passing__-feature?
> 
> However I just want to login via ssh from __any__ client and get a valid 
> AFS (no stand-alone Kerberos stuff!)

Not sure what you maen by "no stand-alone Kerberos stuff".

> token created on the machine.
> I can't believe that nobody else wants/has this feature already 
> realized?! ;-)

Most sites are or are header to using Kerberos V5 with AFS.
i.e. not using AFS for authentication at all.

We use OpenSSH in a nuber of ways, including the GSSAPI with
a delegated credential, and entering in a Krb5 user and password.
In both cases a Krb5 ticket cache is created, and we have PAM
use this to get an AFS token.


> 
> Maybe s.o helps me with this....
> 
> Greets
>   Tobias
> 
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444