[OpenAFS] pam_krb5afs and openssh-4.0p1
Tue, 20 Sep 2005 23:51:25 -0700 (PDT)
Well, I found out where the road leads...
Wound up using pam_krb5 only for kerberos. It will not work with a GSSAPI
passed TGT to just get a PAG. There's also an issue discussed previously
on this list about needing to turn off challenge-response in openafs to
make this work. Chaining after pam_krb5 in the session section I put
pam_afs2 which calls out to /usr/bin/afs5log (the standalone aklog-ish
piece of pam_krb5afs). Works both on initial login and for SSO now.
This will not work for anything which doesn't allow passing PAM stashes
from the auth function of pam_krb5 to the session function of pam_krb5
(like OpenSSH's challenge-reponse auth). It is only after
pam_sm_open_session() in pam_krb5 that you have KRB5CCNAME set and
pointing to a valid TGT.
Other little details are that pam_krb5afs assumes the /afs/<cellname>
convention and that afs5log pukes on the -p <homedir> option that
pam_afs2 passes to it, so it doesn't work out of the box.
On Tue, 20 Sep 2005 email@example.com wrote:
> Nevermind about #2. Naturally, as soon as I make a post it fixes itself and
> openssh is setting that correctly.
> I believe this confirms that pam_krb5afs ignores KRBCCNAME. Anyone got a
> patch to make it use the TGT that SSH forwarded to get a ticket for the cell
> and a pag?
> On Tue, 20 Sep 2005 firstname.lastname@example.org wrote:
>> I'm trying to get TGT passing with the gssapi-with-mic auth method of
>> openssh to work with pam_krb5afs to get a token.
>> 1. Does this even work in principle, or does the pam_sm_open_session in
>> pam_krb5afs rely on a stash created in the auth method of pam_krb5afs? I
>> had hoped that the session part of pam_krb5afs would check for KRB5CCNAME
>> (either via getenv() or pam_getenv()) and would use that if it was set,
>> but now I'm not so sure, but still uncertain at this point of the way the
>> code behaves.
>> 2. KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1 properly,
>> even if pam_krb5afs can use it. I've verified that gssapi-with-mic and
>> TGT passing works correctly, but getenv("KRB5CCNAME") and pam_getenv(pamh,
>> "KRB5CCNAME") from pam_sm_open_session in pam_krb5afs return NULL.
>> I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and openssh-4.0p1.
>> Has anyone else been down this road before and know where it leads?
>> OpenAFS-info mailing list
> OpenAFS-info mailing list