[OpenAFS] openssh-3.7.1, pam and no token after login

Sergio Gelato Sergio.Gelato@astro.su.se
Mon, 15 Mar 2004 17:18:52 +0100


* Matthew Hoskins [2004-03-15 11:01:17 -0500]:
> This thread seems to have died...  Did anyone ever find a combination of 
> patches/config options that allow a modern version of openssh to get a 
> pag+token?

Yes. OpenSSH 3.8p1 with Heimdal 0.6 (or newer). UsePAM=no,
KerberosAuthentication=yes, KerberosGetAFSToken=yes, and if you apply my
	http://www.astro.su.se/~gelato/patches/openssh-3.8p1-1.diff
it will even work with GSSAPI-forwarded TGTs.

I'm looking at making a trimmed-down version of krbafs / libkafs with
just the k_hasafs() and k_setpag() calls; this could be contributed to
OpenSSH, with a helper program being forked to get the actual token
(as advocated by Douglas Engert, who posted some relevant patches to 
openssh-unix-dev@mindrot.org). I need this for Linux (Debian woody),
where (obsolete) Heimdal vs. MIT Kerberos issues are getting in my way.
(Most of these should be solved in Debian sarge, but I can't deploy
that in production yet.)

> I have tried just about every combination of UsePAM, 
> UsePrivilegeSeparation, 3.7p and 3.8p versions.  My platform is solaris 8.

I'm running happily on Solaris 8 (SPARC) with the above Heimdal-based
setup, and UsePrivilegeSeparation=yes, GSSAPIAuthentication=yes.