[OpenAFS] optaining a token after openssh GSSAPI credential-delegation

Douglas E. Engert deengert@anl.gov
Mon, 12 Sep 2005 14:17:26 -0500 

See https://lists.openafs.org/pipermail/openafs-info/2005-May/017905.html
This shows how to use PAM with ssh. It also works on Solaris 10.



Alexander Bergolth wrote:
> Hi!
> 
> I'm using GSSAPI credential-delegation to forward my kerberos 5 
> tgt-ticket when initiating an openssh session.
> 
> GSSAPI-authentication and ticket forwarding works file but now I'm 
> looking for a way to obtain an AFS-token from the TGT to be able to 
> enter my home-directory which resides in AFS. I don't want to do that 
> using aklog in the shell-profile, I'd prefer something like a pam-module.
> 
> I've tried to use a pam-session entry containing the prm_krb5 module but 
> it looks like this module requires a pam-stash in the session stage, 
> that is initialized in the auth-stage. If GSSAPI-authentication is used, 
> the auth stage isn't used and therefore the session setup is skipped.



> 
> Sep 11 15:02:27 roaster sshd[5837]: pam_krb5[5837]: no v5 creds for user 
> 'bergolth', skipping session setup
> 
> Is there a pam_module that obtains a token from an krb5 ticket in the 
> session stage without needing an auth stage?
> 
> Btw.: Maybe there is a second problem: I've straced the sshd 
> login-process and it looks like the KRB5CCNAME environment variable is 
> set (by another thread) _after_ the pam-session modules are executed. 
> (See the strace excerpt below.)
> 
> Any help would be greatly appreciated.
> 
> Cheers,
> --leo
> 
> # egrep 'no v5|krb5cc|clone' /tmp/urxn.txt
> open("/tmp/krb5cc_5020_WO5082", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) 
> = 12
> unlink("/tmp/krb5cc_5020_WO5082")       = 0
> open("/tmp/krb5cc_5020_WO5082", 
> O_RDWR|O_CREAT|O_TRUNC|O_EXCL|O_LARGEFILE, 0600) = 12
> open("/tmp/krb5cc_5020_WO5082", O_RDWR|O_LARGEFILE) = 12
> clone(Process 5083 attached
> [pid  5083] send(10, "<39>Sep 11 13:28:30 sshd[5083]: pam_krb5[5083]: no 
> v5 creds for user \'bergolth\', skipping session setup", 103, 
> MSG_NOSIGNAL) = 103
> [pid  5083] write(2, "debug1: Setting KRB5CCNAME to 
> FILE:/tmp/krb5cc_5020_WO5082\r\n", 60 <unfinished ...>
> [pid  5082] <... read resumed> "debug1: Setting KRB5CCNAME to 
> FILE:/tmp/krb5cc_5020_WO5082\r\r\n", 16384) = 61
> [pid  5083] write(2, "  KRB5CCNAME=FILE:/tmp/krb5cc_5020_WO5082\n", 42 
> <unfinished ...>
> [pid  5082] <... read resumed> "Environment:\r\n 
> KRB5CCNAME=FILE:/tmp/krb5cc_5020_WO5082\r\n  USER=bergolth\r\n 
> LOGNAME=bergolth\r\n  HOME=/afs/wu-wien.ac.at/home/edvz/bergolth\r\n 
> PATH=/usr/local/bin:/bin:/usr/bin\r\n  MAIL=/var/mail/bergolth\r\n", 
> 16384) = 204
> [pid  5083] clone( <unfinished ...>
> [pid  5083] <... clone resumed> child_stack=0, 
> flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
> child_tidptr=0xb7f9c708) = 5084
> write(2, "debug1: removing gssapi cred 
> file\"/tmp/krb5cc_5020_WO5082\"\r\n", 60debug1: removing gssapi cred 
> file"/tmp/krb5cc_5020_WO5082"
> unlink("/tmp/krb5cc_5020_WO5082")       = 0
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444