[OpenAFS] pam_krb5afs and openssh-4.0p1

lamont@scriptkiddie.org lamont@scriptkiddie.org
Fri, 23 Sep 2005 09:15:31 -0700 (PDT)

On Wed, 21 Sep 2005 lamont@scriptkiddie.org wrote:
> On Wed, 21 Sep 2005, Douglas E. Engert wrote:
>> Does the pam_krb5 have a force_creds option? Some do. This could allow it 
>> to
>> store the ticket cache during the pam_sm_authenticate call rather then the
>> pam_sm_setcred call.
> I don't see "force.*cred" anywhere in the sources.  Grepping for "force" 
> doesn't even turn up much.
> And it looks like the only place that KRB5CCNAME gets set is in the session.c 
> file that handles pam_open_session().  I don't see any functionality in 
> auth.c or anywhere else that auth.c might call...
> I checked both the 2.0.8-2 sources and the latest CVS checkout.

Got it!

There's a use_shmem option you can pass into auth and session which puts 
the stash in shmem.

auth        sufficient    /lib/security/$ISA/pam_krb5afs.so debug use_shmem=sshd
session     sufficient    /lib/security/$ISA/pam_krb5afs.so debug external use_shmem=sshd

I need to do some more testing, but this appears to work with both GSSAPI 
authentication ("external") and with openssh's broken challenge-response 
authentication ("use_shmem").

I'm using a CVS checkout of redhat's pam_krb5 which claims to be 
something like 2.2.0-0.5

With this, I don't need to use pam_afs2 anymore (but thanks for the help 
DEE =).