[OpenAFS] Probleme with aklog

Douglas E. Engert deengert@anl.gov
Mon, 19 Feb 2007 13:18:28 -0600


El Barto wrote:
> On Mon, 19 Feb 2007 10:14:56 -0600
> "Douglas E. Engert" <deengert@anl.gov> wrote:
> 
>> Your test looks strange, as the same ticket cache (based on on your
>> uid I assume) is being used in both the kinit and the ssh examples and the 
>> tickets have the same time. This would indicate the SSH did not
>> gt you a kerberos ticket, of if it did it stored it in some
>> other cache, and did not set the KRB5CCNAME.
>> You may want to check your sshd_config, and your PAM configurations.
>>
>> The PAM_*afs*routines  should only get a token if the ssh got
>> a  kerberos ticket.
>>

First of all, do you really want to use passwords with sshd at all if
you already have KRB5? If you have tickets on the client machine
that runs ssh, then you want to use GSSAPI, which will use Kerberos
as intended, i.e. no passwords over the network. You should try
and get to this type of configuration if possible.

That said, looking at you configuration you want to use passwords
for sshd. Sshd can use Kerberos with passwords in two ways,
via internal Kerberos calls, or via PAM. I would recommend using
the PAM. This requires the use of the
ChallengeResponseAuthentication yes
You have it set to no, so (i believe )the pam_krb5 will not be called.

You might want to test this with a seperate/etc/pam.d/ssh
file rather then the common-auth auth file. common-auth is used
by most other commands, and you want to make sure su or sudo still work :-)


> 
>  The most weird thing is it do the same on a physical login. Anyway
> here is my ssh config and pam config :
> 
> sshd_config :
> # Package generated configuration file
> # See the sshd(8) manpage for details
> 
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will bind to
> #ListenAddress ::
> #ListenAddress 0.0.0.0
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
> 
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
> 
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
> 
> # Authentication:
> LoginGraceTime 120
> PermitRootLogin yes
> StrictModes yes
> 
> RSAAuthentication yes
> PubkeyAuthentication yes
> #AuthorizedKeysFile     %h/.ssh/authorized_keys
> 
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
> 
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
> 
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
> 
> # Change to no to disable tunnelled clear text passwords
> #PasswordAuthentication yes
> 
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> 
> # GSSAPI options
> GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> 
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
> 
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
> 
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
> 
> Subsystem sftp /usr/lib/openssh/sftp-server
> 
> UsePAM yes
> 
>  I changed two pam config files, common-auth and common-sesssion :
> 
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
> # traditional Unix authentication mechanisms.
> #
> auth    required        pam_unix.so nullok_secure
> auth    sufficient      pam_krb5.so use_first_pass forwardable debug
> 
> #
> # /etc/pam.d/common-session - session-related modules common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of modules that define tasks to be performed
> # at the start and end of sessions of *any* kind (both interactive and
> # non-interactive).  The default is pam_unix.
> #
> session required        pam_unix.so
> session optional        pam_krb5.so debug
> session optional        pam_openafs_session.so
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444