[OpenAFS] openssh-3.7.1, pam and no token after login
Sergio Gelato
Sergio.Gelato@astro.su.se
Mon, 15 Mar 2004 17:18:52 +0100
* Matthew Hoskins [2004-03-15 11:01:17 -0500]:
> This thread seems to have died... Did anyone ever find a combination of
> patches/config options that allow a modern version of openssh to get a
> pag+token?
Yes. OpenSSH 3.8p1 with Heimdal 0.6 (or newer). UsePAM=no,
KerberosAuthentication=yes, KerberosGetAFSToken=yes, and if you apply my
http://www.astro.su.se/~gelato/patches/openssh-3.8p1-1.diff
it will even work with GSSAPI-forwarded TGTs.
I'm looking at making a trimmed-down version of krbafs / libkafs with
just the k_hasafs() and k_setpag() calls; this could be contributed to
OpenSSH, with a helper program being forked to get the actual token
(as advocated by Douglas Engert, who posted some relevant patches to
openssh-unix-dev@mindrot.org). I need this for Linux (Debian woody),
where (obsolete) Heimdal vs. MIT Kerberos issues are getting in my way.
(Most of these should be solved in Debian sarge, but I can't deploy
that in production yet.)
> I have tried just about every combination of UsePAM,
> UsePrivilegeSeparation, 3.7p and 3.8p versions. My platform is solaris 8.
I'm running happily on Solaris 8 (SPARC) with the above Heimdal-based
setup, and UsePrivilegeSeparation=yes, GSSAPIAuthentication=yes.