[OpenAFS] optaining a token after openssh GSSAPI credential-delegation
Douglas E. Engert
deengert@anl.gov
Wed, 14 Sep 2005 09:46:52 -0500
This is a multi-part message in MIME format.
--------------070002030008090102000202
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Garance A Drosihn wrote:
> At 2:17 PM -0500 9/12/05, Douglas E. Engert wrote:
>
>> See
>> https://lists.openafs.org/pipermail/openafs-info/2005-May/017905.html
>> This shows how to use PAM with ssh. It also works on Solaris 10.
>
>
> It happens that I'm in the middle of trying to compile the latest
> openssh on some solaris 8 boxes. We have an older version of openSSH
> compiled (with a few kludges) and working, but I wanted to get our
> OpenSSH world on better footing. These machines are also still
> running an older version of OpenAFS (1.2.11). I did at least build
> the latest versions of OpenSSL and Heimdal.
>
> What I've put together so far is *almost* working. I can ssh into
> the box, and it will ask for and correctly check my password.
Is this your Kerberos password? The above referenced packages
assume you are loging in with a Kerberos password, either via
the built in Kerberos support in sshd or via a pam_krb5 called by
sshd or have authenticted with GSSAPI.
It is assuming the use of Kerberos v5.
> But
> it logs me in without any AFS credentials. If I then do a 'kinit',
> I end up with both kerberos and AFS credentials. I'm about 98% sure
> the problem is that I'm still using the PAM module from our previous
> setup. Not much of a surprise there...
>
> Looking at the above URL, I am not sure that it will help me. Would
> this depend on a newer version of OpenAFS?
There where some bug reports on order of handling of the KRB5CCNAME and
calling PAM session, that where fixed on 4.1. I have the patch for 3.9
if you need it.
> Does it depend on Solaris 10 (instead of 8)?
No, we are using OpenSSH-4.1p1 on Solaris 8. We are using on Solaris 10
the Solaris Kerberos and ssh.
> In your message from May, you said you were still
> working on the pam.conf changes for Solaris 10. Do you have that
> done at this point?
>
Yes, see attachment. The pam.conf.sun4x_57 is for 57 and 58 using the
MIT kerberos.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--------------070002030008090102000202
Content-Type: text/plain;
name="pam.conf.sun4x_510"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pam.conf.sun4x_510"
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
krlogin auth required /krb5/lib/pam_afs2.so.1
#krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
krsh auth required /krb5/lib/pam_afs2.so.1
#krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
#DEE leave unmodified till the pam.conf and pam_afs2 are stable
#DEE leaves us a way on to machine
# But this allows password login
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# DEE from pam_krb5_man pages:
#DEE smartcard failed, so skip it for now
#dtlogin auth requisite pam_smartcard.so.1
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_cred.so.1
dtlogin auth required pam_krb5.so.1
dtlogin auth required /krb5/lib/pam_afs2.so.1
# allows password login
dtlogin auth optional pam_unix_auth.so.1
#
# dtsession - lock/unlock screen, refresh creds and AFS token
#
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth optional pam_krb5.so.1
dtsession auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
dtsession auth optional pam_unix_auth.so.1
#
# xlock
#
xlock auth requisite pam_authtok_get.so.1
xlock auth required pam_dhkeys.so.1
xlock auth optional pam_krb5.so.1
xlock auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
xlock auth optional pam_unix_auth.so.1
#
# xscreensaver used by gnome or CDE
#
xscreensaver auth requisite pam_authtok_get.so.1
xscreensaver auth required pam_dhkeys.so.1
xscreensaver auth optional pam_krb5.so.1
xscreensaver auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
xscreensaver auth optional pam_unix_auth.so.1
#
#
# sshd - keyboard interactive uses all PAM exits, but
# PAM session is called when GSSAPI delegation or
# Kerberos password used, so get AFS token in all three cases.
# We want a session type cache, so with ANL PAM
# pass in ccache= to account routine
# RedHat PAM uses session caches already
#
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth required pam_krb5.so.1
# allows login with local password
sshd-kbdint auth optional pam_unix_auth.so.1
sshd-kdbint account requisite pam_roles.so.1
sshd-kdbint account required pam_unix_account.so.1
sshd-kdbint account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_pw_%u_%p
sshd-kdbint session required pam_unix_session.so.1
sshd-kdbint session required /krb5/lib/pam_afs2.so.1
# Used by GSS, but ssh has bug about saving creds, so we use session based creds.
sshd-gssapi account requisite pam_roles.so.1
sshd-gssapi account required pam_unix_account.so.1
sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_%u_%p
sshd-gssapi session required pam_unix_session.so.1
sshd-gssapi session required /krb5/lib/pam_afs2.so.1
sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 clean
--------------070002030008090102000202
Content-Type: text/plain;
name="pam.conf.sun4x_57"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pam.conf.sun4x_57"
#ident "@(#)pam.conf 1.19 95/11/30 SMI"
#
# PAM configuration
#
# With ANL mods to use with krb5-1.3.4 /krb5/lib/pam_krb5.so.1
# which will get an AFS token and PAG
#
# Authentication management
#
login auth sufficient /krb5/lib/pam_krb5.so.1 forwardable
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#login auth required /usr/lib/security/pam_dial_auth.so.1
#
#rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
#rlogin auth required /usr/lib/security/pam_unix.so.1
#
dtlogin auth sufficient /krb5/lib/pam_krb5.so.1 forwardable
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
#rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
#
dtsession auth sufficient /krb5/lib/pam_krb5.so.1 forwardable
dtsession auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
other auth required /usr/lib/security/pam_unix.so.1
#
# Account management
#
login account required /krb5/lib/pam_krb5.so.1
login account required /usr/lib/security/pam_unix.so.1
#
dtlogin account required /krb5/lib/pam_krb5.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
#
other account required /krb5/lib/pam_krb5.so.1
other account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
login session optional /krb5/lib/pam_krb5.so.1
login session required /usr/lib/security/pam_unix.so.1
#
dtlogin session optional /krb5/lib/pam_krb5.so.1
dtlogin session required /usr/lib/security/pam_unix.so.1
#
other session optional /krb5/lib/pam_krb5.so.1
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
login password optional /krb5/lib/pam_krb5.so.1
dtlogin password optional /krb5/lib/pam_krb5.so.1
other password required /usr/lib/security/pam_unix.so.1
#
#
# sshd - keyboard interactive uses all PAM exists, but
# privsep gets in the way. So use force.
# PAM session is called when GSSAPI delegation or
# Kerberos password used, so get AFS token in all three cases.
# We want a session type cache, so with ANL PAM
# pass in ccache=
# We need ccache= on HP as it does not have pam_putenv
# RedHat PAM uses session cache already
#
###sshd auth requisite pam_authtok_get.so.1
###sshd auth required pam_dhkeys.so.1
sshd auth sufficient /krb5/lib/pam_krb5.so.1 use_first_pass forwardable force_creds
sshd auth required /usr/lib/security/pam_unix.so.1
#
sshd session required /usr/lib/security/pam_unix.so.1
sshd session required /krb5/lib/pam_afs2.so.1
--------------070002030008090102000202--