[OpenAFS] pam_krb5afs and 1.4.0rc5 problems..
lamont@scriptkiddie.org
lamont@scriptkiddie.org
Tue, 25 Oct 2005 16:45:17 -0700 (PDT)
If you're talking about getting sshd's gssapi-with-mic method to work
correctly, you need the 'external' option on the session line to be
supported by pam_krb5afs. Then sshd does the TGT forwarding for you, and
then calls pam_open_session (oh, you need patches which are in
openssh-4.0p1 or later for this to work) and the 'external' argument tells
pam_krb5afs to do a pam_getenv("KRB5CCNAME") and use the cred passed by
sshd to get tokens for the cell. Setup this way it should work both for
getting a TGT + token on login with a password, and for passing a TGT and
aquiring a token via gssapi-with-mic.
On Tue, 25 Oct 2005, Kurt Seiffert wrote:
> Thanks.
>
> I was able to get it to work with the latest version of pam_krb5 as long as
> sshd is not doing the kerberos login as when I already have a key locally. It
> would be nice to get the sshd kerberos to work, but this is much farther than
> I have gotten before.
>
> Any other thoughts?
>
> Thanks again.
>
> -KAS
> On Oct 25, 2005, at 11:57 AM, lamont@scriptkiddie.org wrote:
>
>>
>>
>> Try:
>>
>> auth sufficient /lib/security/$ISA/pam_krb5afs.so debug
>> use_shmem=sshd
>> session sufficient /lib/security/$ISA/pam_krb5afs.so debug external
>> use_shmem=sshd
>>
>> The "use_shmem" option will probably fix what you're seeing below where
>> authentication succeeds, but then session sees 'no v5 creds' because it is
>> running in a different process. The "external" option line is useful so
>> that session will pick up that KRB5CCNAME points to cached creds from the
>> GSSAPI TGT forwarding in sshd.
>>
>> I'm using a CVS checkout of the pam sources which is roughly
>> pam_krb5-2.2.0-0.5. There's a pointer somewhere in the list archives to
>> where you can check them out from CVS...
>>
>> On Tue, 25 Oct 2005, Kurt Seiffert wrote:
>>
>>> We actually have had this problem for awhile.
>>>
>>> We have been trying to get the standard RHEL3 and RHEL4 pam_krb5afs
>>> modules that come with the RHEL. These are rpm's :
>>> pam_krb5-1.77-1 for RHEL3
>>> pam_krb5-2.1.8-1 for RHEL4
>>>
>>> They fail to get tokens at log in.
>>>
>>> I configured the debug option on the pam module and here is the output
>>> dumped to syslog.
>>>
>>> Can anyone point me at what might be the problem?
>>>
>>> Here is the syslog output from the RHEL4 setup:
>>>
>>>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: could not obtain
>>>> initial v4 creds: 7 (Argument list too long)
>>>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: error obtaining v4
>>>> creds: 57 (Invalid slot)
>>>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: authentication
>>>> succeeds for 'seiffert' (seiffert@IU.EDU)
>>>> Oct 25 10:32:38 rfs3 sshd[4465]: pam_krb5[4465]: pam_authenticate
>>>> returning 0 (Success)
>>>> Oct 25 10:32:38 rfs3 sshd[4463]: Accepted keyboard-interactive/pam for
>>>> seiffert from ::ffff:156.56.13.2 port 51720 ssh2
>>>> Oct 25 10:32:38 rfs3 sshd(pam_unix)[4467]: session opened for user
>>>> seiffert by (uid=0)
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: configured realm
>>>> 'IU.EDU'
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flags: forwardable
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: no ignore_afs
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: user_check
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: no krb4_convert
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: flag: warn
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: ticket lifetime:
>>>> 36000
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: renewable lifetime:
>>>> 36000
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: banner: Kerberos 5
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: ccache dir: /tmp
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: keytab: /etc/
>>>> krb5.keytab
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: no v5 creds for user
>>>> 'seiffert', skipping session setup
>>>> Oct 25 10:32:38 rfs3 sshd[4467]: pam_krb5[4467]: pam_open_session
>>>> returning 0 (Success)
>>>> Oct 25 10:32:38 rfs3 pam_loginuid[4467]: set_loginuid failed opening
>>>> loginuid
>>>>
>>>
>>> Here is the system-auth file:
>>>
>>>> #%PAM-1.0
>>>> # This file is auto-generated.
>>>> # User changes will be destroyed the next time authconfig is run.
>>>> auth required /lib/security/$ISA/pam_env.so
>>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
>>>> nullok
>>>> auth sufficient /lib/security/$ISA/pam_krb5afs.so
>>>> use_first_pass tokens
>>>> auth required /lib/security/$ISA/pam_deny.so
>>>> account required /lib/security/$ISA/pam_unix.so broken_shadow
>>>> account sufficient /lib/security/$ISA/pam_localuser.so
>>>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
>>>> 100 quiet
>>>> account [default=bad success=ok user_unknown=ignore] /lib/
>>>> security/$ISA/pam_krb5afs.so
>>>> account required /lib/security/$ISA/pam_permit.so
>>>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>>> use_authtok md5 shadow
>>>> password sufficient /lib/security/$ISA/pam_krb5afs.so
>>>> use_authtok
>>>> password required /lib/security/$ISA/pam_deny.so
>>>> session required /lib/security/$ISA/pam_limits.so
>>>> session required /lib/security/$ISA/pam_unix.so
>>>> session optional /lib/security/$ISA/pam_krb5afs.so
>>>>
>>>
>>>
>>> Here is the sshd_config file:
>>>
>>>> # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
>>>> # This is the sshd server system-wide configuration file. See
>>>> # sshd_config(5) for more information.
>>>> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
>>>> # The strategy used for options in the default sshd_config shipped
>>>> with
>>>> # OpenSSH is to specify options with their default value where
>>>> # possible, but leave them commented. Uncommented options change a
>>>> # default value.
>>>> #Port 22
>>>> #Protocol 2,1
>>>> #ListenAddress 0.0.0.0
>>>> #ListenAddress ::
>>>> # HostKey for protocol version 1
>>>> #HostKey /etc/ssh/ssh_host_key
>>>> # HostKeys for protocol version 2
>>>> #HostKey /etc/ssh/ssh_host_rsa_key
>>>> #HostKey /etc/ssh/ssh_host_dsa_key
>>>> # Lifetime and size of ephemeral version 1 server key
>>>> #KeyRegenerationInterval 1h
>>>> #ServerKeyBits 768
>>>> # Logging
>>>> #obsoletes QuietMode and FascistLogging
>>>> #SyslogFacility AUTH
>>>> SyslogFacility AUTHPRIV
>>>> #LogLevel INFO
>>>> # Authentication:
>>>> #LoginGraceTime 2m
>>>> #PermitRootLogin yes
>>>> #StrictModes yes
>>>> #MaxAuthTries 6
>>>> #RSAAuthentication yes
>>>> #PubkeyAuthentication yes
>>>> #AuthorizedKeysFile .ssh/authorized_keys
>>>> # For this to work you will also need host keys in /etc/ssh/
>>>> ssh_known_hosts
>>>> #RhostsRSAAuthentication no
>>>> # similar for protocol version 2
>>>> #HostbasedAuthentication no
>>>> # Change to yes if you don't trust ~/.ssh/known_hosts for
>>>> # RhostsRSAAuthentication and HostbasedAuthentication
>>>> #IgnoreUserKnownHosts no
>>>> # Don't read the user's ~/.rhosts and ~/.shosts files
>>>> #IgnoreRhosts yes
>>>> # To disable tunneled clear text passwords, change to no here!
>>>> #PasswordAuthentication yes
>>>> #PermitEmptyPasswords no
>>>> # Change to no to disable s/key passwords
>>>> #ChallengeResponseAuthentication yes
>>>> # Kerberos options
>>>> #KerberosAuthentication no
>>>> #KerberosAuthentication yes
>>>> #KerberosOrLocalPasswd yes
>>>> #KerberosTicketCleanup yes
>>>> #KerberosGetAFSToken no
>>>> # GSSAPI options
>>>> #GSSAPIAuthentication no
>>>> #GSSAPIAuthentication yes
>>>> #GSSAPICleanupCredentials yes
>>>> #GSSAPICleanupCredentials yes
>>>> # Set this to 'yes' to enable PAM authentication, account processing,
>>>> # and session processing. If this is enabled, PAM authentication will
>>>> # be allowed through the ChallengeResponseAuthentication mechanism.
>>>> # Depending on your PAM configuration, this may bypass the setting of
>>>> # PasswordAuthentication, PermitEmptyPasswords, and
>>>> # "PermitRootLogin without-password". If you just want the PAM account
>>>> and
>>>> # session checks to run without PAM authentication, then enable this
>>>> but set
>>>> # ChallengeResponseAuthentication=no
>>>> #UsePAM no
>>>> UsePAM yes
>>>> #AllowTcpForwarding yes
>>>> #GatewayPorts no
>>>> #X11Forwarding no
>>>> X11Forwarding yes
>>>> #X11DisplayOffset 10
>>>> #X11UseLocalhost yes
>>>> #PrintMotd yes
>>>> #PrintLastLog yes
>>>> #TCPKeepAlive yes
>>>> #UseLogin no
>>>> #UsePrivilegeSeparation yes
>>>> #PermitUserEnvironment no
>>>> #Compression yes
>>>> #ClientAliveInterval 0
>>>> ClientAliveInterval 600
>>>> #ClientAliveCountMax 3
>>>> #UseDNS yes
>>>> #PidFile /var/run/sshd.pid
>>>> #MaxStartups 10
>>>> #ShowPatchLevel no
>>>> # no default banner path
>>>> #Banner /some/path
>>>> # allow only members of the wheel group to login on AFS fileservers
>>>> AllowGroups wheel
>>>> # override default of no subsystems
>>>> Subsystem sftp /usr/libexec/openssh/sftp-server
>>>>
>>>
>>> Let me know if there is any other information that is needed to help
>>> debug this problem.
>>>
>>> We really want to be able to sftp to the AFS filesystem and have the krb
>>> credentials automatically generated.
>>>
>>> Thanks.
>>>
>>> -KAS
>>>
>>> Kurt A. Seiffert | seiffert@indiana.edu
>>> UITS Distributed Storage Services Group | C: 812-345-1892
>>> Indiana University, Bloomington | W: 1 812-855-5089
>>>
>>>
>>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>
>
> Kurt A. Seiffert | seiffert@indiana.edu
> UITS Distributed Storage Services Group | C: 812-345-1892
> Indiana University, Bloomington | W: 1 812-855-5089
>
>