[OpenAFS] FYI: kerberos and ssh on RHEL5

Jason Edgecombe jason@rampaginggeek.com
Fri, 06 Apr 2007 14:01:38 -0400


Hi Everyone,

This is a heads-up for anyone using kerberos on RedHat Enterprise Linux 5.

I just solved a problem that's been a royal pain for me.

I had console and gdm logins working fine for RHEL5 and I got kerberos 
single-signon working for ssh, but I had trouble getting password 
authenticaio working. It would accept my kerberos password, but I would 
have any tickets or tokens.

To solve my problem, I had to enable the use_shmem option in 
/etc/krb5.conf. for use with sshd.

Here is the appdefaults section of my /etc/krb5.conf:
[appdefaults]
   pam = {
     afs_cells = mycell.com
     ccache_dir = /tmp
     forwardable = true
     tokens = sshd
     external = sshd
     use_shmem = sshd
   }

This was extremely irritating because my previous config files work on 
RHEL5 beta2.

I can now login using kerberos credentials on console or ssh.

There are some quirks. sshd take about 5-10 seconds to login, it seems 
to pause just after the "opening session" debug message in the secure 
log. It also grabs a kerberos 4 ticket and gets tokens, but it doesn't 
have a ticket for the afs service principal in the ticket cache.

Anyways, my stuff works now and I'm happy for the moment. I just wanted 
to document this to save others the pain.

Sincerely,
Jason Edgecombe