[OpenAFS] Probleme with aklog
Douglas E. Engert
deengert@anl.gov
Tue, 20 Feb 2007 10:03:35 -0600
I have been mis-quoted below, the section of sshd_config
file is not from me. I was suggesting that you not allow
passwords at all, but allow GSSAPI. Don't let sshd do any
Kerboers or AFS calls directly (gss are OK), but rely on
PAM to do this.
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
KerberosGetAFSToken no
KerberosOrLocalPassword no
GSSAPIAuthenticaiton yes
GSSAPICleanupCredentials yes
El Barto wrote:
> On Mon, 19 Feb 2007 21:25:08 +0100
> Bastian <dea1306@melvex.xs4all.nl> wrote:
>
>>> On Mon, 19 Feb 2007 10:14:56 -0600
>>> "Douglas E. Engert" <deengert@anl.gov> wrote:
>>>
>>>
>>> # Change to no to disable tunnelled clear text passwords
>>> #PasswordAuthentication yes
>>>
>>> # Kerberos options
>>> KerberosAuthentication yes
KerberosAuthentication no
>>> #KerberosGetAFSToken yes
KerberosGetAFSToken no
>>> KerberosOrLocalPasswd yes
KerberosOrLocalPassword no
>>> KerberosTicketCleanup yes
KerberosTicketCleanup no
>>>
>>> # GSSAPI options
>>> GSSAPIAuthentication no
GSSAPIAuthenticaiton yes
>>> #GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
>>>
>>> X11Forwarding yes
>>> X11DisplayOffset 10
>>> PrintMotd no
>>> PrintLastLog yes
>>> TCPKeepAlive yes
>>> #UseLogin no
>>>
>>>
>> Try GSSAPIAuthentication instead of KerberosAuthentication. GSSAPI
>> stands for Kerberos 5 in this case. Maybe differences between K4 en K5
>> cause the realm name problem.
>>
>> I don have the Kerberos*-entries in my sshd_conf, and pam_krb5 &
>> pam_openafs-session work fine (Debian Sarge and Debian Etch)
>>
>>
>> Bastian
>>
>
> The thing is that does the same on a physical login.
> Can you paste your pam configuration for your Debian Etch please ?
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444