[OpenAFS] no tokens at login time via ssh
Kevin Scott Sumner
Tue, 17 Oct 2006 11:51:54 -0400 (EDT)
We're running RHEL 3 (various update) clients and I've got a few personal
Debian etch boxes getting PAGs and tokens on login. We also use MIT
Kerberos 5 KDCs for authentication.
A few things to look out for/check:
-- There may be a seperate PAM config file for sshd in /etc/pam.d. (Or,
perhaps, another section in pam.conf -- it's this way in Solaris 9's
slightly monolithic pam.conf)
-- In sshd_config, you can try setting your UsePrivilegeSeparation opposite
of what you have. This caused us problems for us and I can't remember
which way worked.
-- Lastly, I had to run sshd in non-daemon/debug mode when setting up
the Debian boxes... or maybe I was stracing/lsof'ng??? At any rate, one
of these will let you know when pam_afs gets referenced/loaded by sshd, if
at all. I'm pretty sure it was sshd in debug mode... (-d option -- check
the man page for more info.)
With just some configuration changes, the kdc authentication, token-getting
and ticket-getting all worked out of the box once-upon a time... although,
we now have compiled our own version of ssh/sshd.
Hope this helps.
Assistant Unix Administrator
Physics and Astronomy Networking Infrastructure and Computing
University of North Carolina at Chapel Hill
"Imagination is more important than knowledge.
For knowledge is limited, whereas imagination
embraces the entire world, stimulating progress,
giving birth to evolution."
On Tue, 17 Oct 2006, Andreas Donath wrote:
> I'm trying to get sshd running in a way that
> it generates tokens at login-time when
> users provide their passwords.
> Here are the client parameters:
> Platform: i386 Fedora Core 5
> Kernel: 2.6.17-1.2187_FC5smp
> Client-RPMS from ATRpms:
> For the purpose of logging in and token-creation,
> I modified /etc/pam.d/system-auth the usual way:
> auth required pam_env.so
> auth sufficient /lib/security/pam_afs.krb.so ignore_root
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
> This works fine e.g. for logging on from the console or gdm, but
> via ssh it fails the way, that I get in, but without a token.
> I searched the web and the mail-archives and I found the "use_klog"
> option for pam_afs.krb.so. Trying this one resulted in:
> pam_afs: can not access klog program '/usr/afsws/bin/klog'
> After installing the openafs-compat-1.4.1-fc5.1.rpm the error messages
> disappeared but a token won't get created still.
> My sshd_config looks like this:
> # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
> #Port 22
> #Protocol 2,1
> Protocol 2
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 768
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
> # Authentication:
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> PasswordAuthentication yes
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication no
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken yes
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication mechanism.
> # Depending on your PAM configuration, this may bypass the setting of
> # PasswordAuthentication, PermitEmptyPasswords, and
> # "PermitRootLogin without-password". If you just want the PAM account and
> # session checks to run without PAM authentication, then enable this but set
> # ChallengeResponseAuthentication=no
> #UsePAM no
> UsePAM yes
> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation no
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #ShowPatchLevel no
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> # no default banner path
> #Banner /some/path
> # override default of no subsystems
> Subsystem sftp /usr/libexec/openssh/sftp-server
> I'm not sure what the KerberosGetAFSToken option does,
> anyway, switching it to yes resulted in a "Unsupported option"-error.
> (We run the openafs kasserver).
> What do I miss here?
> Would I have to build sshd and openafs on my own, with
> special parameters set?
> Are there other options to be used?
> Any help is highly appreciated.
> OpenAFS-info mailing list