[OpenAFS] no tokens at login time via ssh

Kevin Scott Sumner ksumner@physics.unc.edu
Tue, 17 Oct 2006 15:48:15 -0400 (EDT)

After looking into this, I realize I misspoke.  We're still using the
default RedHat EL 3.0's sshd, as well as Debian's vendor binaries.  I
forgot that we want to be able to ssh to our machines if our fileservers
holding the packages aren't available because of
[your_favorite_disaster_here].  :)

On my development sarge/etch machines, common-auth looks like this:
auth    optional        pam_krb5.so
auth    sufficient      pam_afs.so try_first_pass ignore_root
auth    sufficient      pam_unix.so try_first_pass likeauth nullok
auth    required        pam_deny.so

There are minor problems with this layering and some options, but nothing
security-related... that I can tell, anyway.  Our RHEL3 system-auth is a
bit more broken, but the same stacking.

I don't have the config info for RHEL or Debian in front of me, but neither
is linked against AFS, though RHEL's is linked against some krb5 libs:
libkrb5.so.3, libk5crypto.so.3, libgssapi_krb5.so.2

We're not doing ticket or token forwarding, so it doesn't matter to us
how sshd is compiled anyway -- pam handles the auth... at least, that's my
understanding.  Feel free to educate me, though.

Kevin Sumner
Assistant Unix Administrator
Physics and Astronomy Networking Infrastructure and Computing
University of North Carolina at Chapel Hill

On Tue, 17 Oct 2006, Daniel Clark wrote:

> On 10/17/06, Kevin Scott Sumner <ksumner@physics.unc.edu> wrote:
> > With just some configuration changes, the kdc authentication,
> > token-getting
> > and ticket-getting all worked out of the box once-upon a time... although,
> > we now have compiled our own version of ssh/sshd.
> This seems sort of unavoidable if you want to use some of the more advanced
> OpenAFS/Kerberos related features, esp. if you must support platforms other
> than Debian/Ubuntu.
> Do you happen to have specs of your OpenSSH compiles anywhere?
> I am also doing this; my work is up at [1]; I just got stuff to compile
> cleanly, but still need to test against Kerberos 5 / PAM / OpenAFS etc.
> [1] http://www.dclark.us/encaps/profiles/openssh-4.4p1.ep
> Cheers,
> -Danny
> --