[OpenAFS] pam_krb5afs and openssh-4.0p1

lamont@scriptkiddie.org lamont@scriptkiddie.org
Tue, 20 Sep 2005 15:43:24 -0700 (PDT)

I'm trying to get TGT passing with the gssapi-with-mic auth method of 
openssh to work with pam_krb5afs to get a token.

1.  Does this even work in principle, or does the pam_sm_open_session in 
pam_krb5afs rely on a stash created in the auth method of pam_krb5afs?  I 
had hoped that the session part of pam_krb5afs would check for KRB5CCNAME 
(either via getenv() or pam_getenv()) and would use that if it was set, 
but now I'm not so sure, but still uncertain at this point of the way the 
code behaves.

2.  KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1 properly, 
even if pam_krb5afs can use it.  I've verified that gssapi-with-mic and 
TGT passing works correctly, but getenv("KRB5CCNAME") and pam_getenv(pamh, 
"KRB5CCNAME") from pam_sm_open_session in pam_krb5afs return NULL.

I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and openssh-4.0p1.

Has anyone else been down this road before and know where it leads?