[OpenAFS] pam_krb5afs and openssh-4.0p1
Fri, 23 Sep 2005 09:15:31 -0700 (PDT)
On Wed, 21 Sep 2005 email@example.com wrote:
> On Wed, 21 Sep 2005, Douglas E. Engert wrote:
>> Does the pam_krb5 have a force_creds option? Some do. This could allow it
>> store the ticket cache during the pam_sm_authenticate call rather then the
>> pam_sm_setcred call.
> I don't see "force.*cred" anywhere in the sources. Grepping for "force"
> doesn't even turn up much.
> And it looks like the only place that KRB5CCNAME gets set is in the session.c
> file that handles pam_open_session(). I don't see any functionality in
> auth.c or anywhere else that auth.c might call...
> I checked both the 2.0.8-2 sources and the latest CVS checkout.
There's a use_shmem option you can pass into auth and session which puts
the stash in shmem.
auth sufficient /lib/security/$ISA/pam_krb5afs.so debug use_shmem=sshd
session sufficient /lib/security/$ISA/pam_krb5afs.so debug external use_shmem=sshd
I need to do some more testing, but this appears to work with both GSSAPI
authentication ("external") and with openssh's broken challenge-response
I'm using a CVS checkout of redhat's pam_krb5 which claims to be
something like 2.2.0-0.5
With this, I don't need to use pam_afs2 anymore (but thanks for the help