[OpenAFS] pam_krb5afs and openssh-4.0p1

lamont@scriptkiddie.org lamont@scriptkiddie.org
Tue, 20 Sep 2005 23:51:25 -0700 (PDT)

Well, I found out where the road leads...

Wound up using pam_krb5 only for kerberos.  It will not work with a GSSAPI 
passed TGT to just get a PAG.  There's also an issue discussed previously 
on this list about needing to turn off challenge-response in openafs to 
make this work.  Chaining after pam_krb5 in the session section I put 
pam_afs2 which calls out to /usr/bin/afs5log (the standalone aklog-ish 
piece of pam_krb5afs).  Works both on initial login and for SSO now. 
This will not work for anything which doesn't allow passing PAM stashes 
from the auth function of pam_krb5 to the session function of pam_krb5 
(like OpenSSH's challenge-reponse auth).  It is only after 
pam_sm_open_session() in pam_krb5 that you have KRB5CCNAME set and 
pointing to a valid TGT.

Other little details are that pam_krb5afs assumes the /afs/<cellname> 
convention and that afs5log pukes on the -p <homedir> option that 
pam_afs2 passes to it, so it doesn't work out of the box.

PAM sucks.

On Tue, 20 Sep 2005 lamont@scriptkiddie.org wrote:
> Nevermind about #2.  Naturally, as soon as I make a post it fixes itself and 
> openssh is setting that correctly.
> I believe this confirms that pam_krb5afs ignores KRBCCNAME.  Anyone got a 
> patch to make it use the TGT that SSH forwarded to get a ticket for the cell 
> and a pag?
> On Tue, 20 Sep 2005 lamont@scriptkiddie.org wrote:
>> I'm trying to get TGT passing with the gssapi-with-mic auth method of 
>> openssh to work with pam_krb5afs to get a token.
>> 1.  Does this even work in principle, or does the pam_sm_open_session in 
>> pam_krb5afs rely on a stash created in the auth method of pam_krb5afs?  I 
>> had hoped that the session part of pam_krb5afs would check for KRB5CCNAME 
>> (either via getenv() or pam_getenv()) and would use that if it was set, 
>> but now I'm not so sure, but still uncertain at this point of the way the 
>> code behaves.
>> 2.  KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1 properly, 
>> even if pam_krb5afs can use it.  I've verified that gssapi-with-mic and 
>> TGT passing works correctly, but getenv("KRB5CCNAME") and pam_getenv(pamh, 
>> "KRB5CCNAME") from pam_sm_open_session in pam_krb5afs return NULL.
>> I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and openssh-4.0p1.
>> Has anyone else been down this road before and know where it leads?
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info