[OpenAFS] RHEL5, pam_afs, sshd; no token

Russ Allbery rra@stanford.edu
Tue, 29 May 2007 10:59:39 -0700

Richard Brittain <richard@northstar.dartmouth.edu> writes:

> I'm just getting my feet wet with RHEL5 on an x86_64 box, and built
> OpenAFS 1.4.4 by using 'rpmbuild' with the SRPM package for RHEL4.  It
> seemed to build completely cleanly, installed first time, and works fine
> when authenticating with klog.

> When I tried inserting the call to pam_afs in /etc/pam.d/system-auth, it
> worked for console text logins (authenticated, and I have a token and a
> PAG), but for sshd I get logged in with no token or PAG.  Console logins
> with gdm seem to behave the same as SSH, but they are harder to debug.

The pam_afs that comes with AFS is pretty dire.  You don't really want to
use it if you can possibly avoid it.  For it to work properly with ssh,
you have to disable PrivilegeSeparation and possibly also
ChallengeResponseAuthentication, and you may still run into threading

It's much better to use a pam_krb5 module with my pam_afs_session module
if you have a K5 environment available.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>