[OpenAFS] openssh-3.7.1, pam and no token after login
Matthew E Hoskins - SAGE AFS
matt@njit.edu
Tue, 16 Mar 2004 06:37:32 -0500
These solutions seem krb5 centric, we use kaserver on all our cells.
Sergio Gelato wrote:
>* Matthew Hoskins [2004-03-15 11:01:17 -0500]:
>
>
>>This thread seems to have died... Did anyone ever find a combination of
>>patches/config options that allow a modern version of openssh to get a
>>pag+token?
>>
>>
>
>Yes. OpenSSH 3.8p1 with Heimdal 0.6 (or newer). UsePAM=no,
>KerberosAuthentication=yes, KerberosGetAFSToken=yes, and if you apply my
> http://www.astro.su.se/~gelato/patches/openssh-3.8p1-1.diff
>it will even work with GSSAPI-forwarded TGTs.
>
>I'm looking at making a trimmed-down version of krbafs / libkafs with
>just the k_hasafs() and k_setpag() calls; this could be contributed to
>OpenSSH, with a helper program being forked to get the actual token
>(as advocated by Douglas Engert, who posted some relevant patches to
>openssh-unix-dev@mindrot.org). I need this for Linux (Debian woody),
>where (obsolete) Heimdal vs. MIT Kerberos issues are getting in my way.
>(Most of these should be solved in Debian sarge, but I can't deploy
>that in production yet.)
>
>
>
>>I have tried just about every combination of UsePAM,
>>UsePrivilegeSeparation, 3.7p and 3.8p versions. My platform is solaris 8.
>>
>>
>
>I'm running happily on Solaris 8 (SPARC) with the above Heimdal-based
>setup, and UsePrivilegeSeparation=yes, GSSAPIAuthentication=yes.
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>
>