[OpenAFS] pam_krb5afs and openssh-4.0p1

lamont@scriptkiddie.org lamont@scriptkiddie.org
Tue, 20 Sep 2005 16:01:02 -0700 (PDT)

Nevermind about #2.  Naturally, as soon as I make a post it fixes itself 
and openssh is setting that correctly.

I believe this confirms that pam_krb5afs ignores KRBCCNAME.  Anyone got a 
patch to make it use the TGT that SSH forwarded to get a ticket for the 
cell and a pag?

On Tue, 20 Sep 2005 lamont@scriptkiddie.org wrote:
> I'm trying to get TGT passing with the gssapi-with-mic auth method of openssh 
> to work with pam_krb5afs to get a token.
> 1.  Does this even work in principle, or does the pam_sm_open_session in 
> pam_krb5afs rely on a stash created in the auth method of pam_krb5afs?  I had 
> hoped that the session part of pam_krb5afs would check for KRB5CCNAME (either 
> via getenv() or pam_getenv()) and would use that if it was set, but now I'm 
> not so sure, but still uncertain at this point of the way the code behaves.
> 2.  KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1 properly, 
> even if pam_krb5afs can use it.  I've verified that gssapi-with-mic and TGT 
> passing works correctly, but getenv("KRB5CCNAME") and pam_getenv(pamh, 
> "KRB5CCNAME") from pam_sm_open_session in pam_krb5afs return NULL.
> I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and openssh-4.0p1.
> Has anyone else been down this road before and know where it leads?
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info