[OpenAFS] pam_krb5afs and openssh-4.0p1
Douglas E. Engert
Wed, 21 Sep 2005 13:14:57 -0500
> Well, I found out where the road leads...
> Wound up using pam_krb5 only for kerberos. It will not work with a
> GSSAPI passed TGT to just get a PAG. There's also an issue discussed
> previously on this list about needing to turn off challenge-response in
> openafs to make this work. Chaining after pam_krb5 in the session
> section I put pam_afs2 which calls out to /usr/bin/afs5log (the
> standalone aklog-ish piece of pam_krb5afs). Works both on initial login
> and for SSO now. This will not work for anything which doesn't allow
> passing PAM stashes from the auth function of pam_krb5 to the session
> function of pam_krb5 (like OpenSSH's challenge-reponse auth). It is
> only after pam_sm_open_session() in pam_krb5 that you have KRB5CCNAME
> set and pointing to a valid TGT.
As you appear to be doing the pam_afs2 can be setup to be called after
the pam_krb5 session so it should be able to find the KRB5CCNAME. (It also
has a nopag option so if the pag is obtained early, it will not get a new pag.)
Does the pam_krb5 have a force_creds option? Some do. This could allow it to
store the ticket cache during the pam_sm_authenticate call rather then the
> Other little details are that pam_krb5afs assumes the /afs/<cellname>
> convention and that afs5log pukes on the -p <homedir> option that
> pam_afs2 passes to it, so it doesn't work out of the box.
The OpenAFS aklog, the Heimdal afslog and the gssklog all accept the -p
option. I even see in aklog from as early 1994 support for the -p option.
The -p option is so the *log program can get a token for the cell
that contains the directory.
Never tried pam_afs2 with afs5log. Sounds like afs5log needs a -p option.
> PAM sucks.
> On Tue, 20 Sep 2005 firstname.lastname@example.org wrote:
>> Nevermind about #2. Naturally, as soon as I make a post it fixes
>> itself and openssh is setting that correctly.
>> I believe this confirms that pam_krb5afs ignores KRBCCNAME. Anyone
>> got a patch to make it use the TGT that SSH forwarded to get a ticket
>> for the cell and a pag?
>> On Tue, 20 Sep 2005 email@example.com wrote:
>>> I'm trying to get TGT passing with the gssapi-with-mic auth method of
>>> openssh to work with pam_krb5afs to get a token.
>>> 1. Does this even work in principle, or does the pam_sm_open_session
>>> in pam_krb5afs rely on a stash created in the auth method of
>>> pam_krb5afs? I had hoped that the session part of pam_krb5afs would
>>> check for KRB5CCNAME (either via getenv() or pam_getenv()) and would
>>> use that if it was set, but now I'm not so sure, but still uncertain
>>> at this point of the way the code behaves.
>>> 2. KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1
>>> properly, even if pam_krb5afs can use it. I've verified that
>>> gssapi-with-mic and TGT passing works correctly, but
>>> getenv("KRB5CCNAME") and pam_getenv(pamh, "KRB5CCNAME") from
>>> pam_sm_open_session in pam_krb5afs return NULL.
>>> I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and
>>> Has anyone else been down this road before and know where it leads?
>>> OpenAFS-info mailing list
>> OpenAFS-info mailing list
> OpenAFS-info mailing list
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439