[OpenAFS] pam_krb5afs and openssh-4.0p1
lamont@scriptkiddie.org
lamont@scriptkiddie.org
Tue, 20 Sep 2005 16:01:02 -0700 (PDT)
Nevermind about #2. Naturally, as soon as I make a post it fixes itself
and openssh is setting that correctly.
I believe this confirms that pam_krb5afs ignores KRBCCNAME. Anyone got a
patch to make it use the TGT that SSH forwarded to get a ticket for the
cell and a pag?
On Tue, 20 Sep 2005 lamont@scriptkiddie.org wrote:
> I'm trying to get TGT passing with the gssapi-with-mic auth method of openssh
> to work with pam_krb5afs to get a token.
>
> 1. Does this even work in principle, or does the pam_sm_open_session in
> pam_krb5afs rely on a stash created in the auth method of pam_krb5afs? I had
> hoped that the session part of pam_krb5afs would check for KRB5CCNAME (either
> via getenv() or pam_getenv()) and would use that if it was set, but now I'm
> not so sure, but still uncertain at this point of the way the code behaves.
>
> 2. KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1 properly,
> even if pam_krb5afs can use it. I've verified that gssapi-with-mic and TGT
> passing works correctly, but getenv("KRB5CCNAME") and pam_getenv(pamh,
> "KRB5CCNAME") from pam_sm_open_session in pam_krb5afs return NULL.
>
> I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and openssh-4.0p1.
>
> Has anyone else been down this road before and know where it leads?
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>