[OpenAFS] debian-gssapi works, partly...

Juha Jäykkä juolja@utu.fi
Fri, 26 Jan 2007 13:07:59 +0200

Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

> But with latest openssh on etch I=C2=B4ve got the problem that I don=C2=
=B4t obtain
> a token while logging in via SSH from putty or a PC without gssapi.

Make sure you're not using RSA/DSA keys to log in. There is no way to
obtain a ticket and a token when you never tell ssh/pam your password. We
have the exact same setup (etch, Heimdal, pam_afs2 and GSSAPI
authentication), where everything works exactly as supposed. The only
problem is that occassionally sshd seems to loose its ticket/keytab. To
work around this, all the sshd's restart every night. I'm not quite sure
what happens, actually. The symptom is that GSSAPI logins cease
functioning. I guess it's caused by sshd having lost its ticket somehow.
Perhaps it expires? I haven't figured out what happens, though: been in
too much of a hurry each time I've noticed this (and it's only been a few
times per machine in half a year).


		| Juha J=C3=A4ykk=C3=A4, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|

Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

Version: GnuPG v1.4.5 (GNU/Linux)