[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4

Robert Sturrock rns@unimelb.edu.au
Mon, 03 Sep 2007 17:40:46 +1000 

Hi all.

I have a question about pam-afs-session, although my problem may actually
be more related to Openssh and Kerberos.

I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it
seems to work fine, provided I use pam to do the authentication rather
than openssh.  This means typing my password even though I've already
got a ticket on my workstation.

However, I would ideally like to let openssh do the authentication
(ie.  set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config).  The
client can forward Kerberos credentials and (hopefully)
pam-afs-session can turn that into a token.  Is such a setup possible?

In trying to set this up, I've used these settings in sshd_config:

    ChallengeResponseAuthentication no
    KerberosAuthentication no
    GSSAPIAuthentication yes
    UsePAM yes

.. and /etc/pam.d/system-auth looks like this:

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      /lib/security/$ISA/pam_env.so
    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
    auth        [success=ok default=1] /lib/security/$ISA/pam_krb5.so
    auth        [default=done] /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog debug
    auth        required      /lib/security/$ISA/pam_deny.so

    account     required      /lib/security/$ISA/pam_unix.so broken_shadow
    account     sufficient    /lib/security/$ISA/pam_krb5.so
    account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    account     required      /lib/security/$ISA/pam_permit.so

    password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
    password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    password    sufficient    /lib/security/$ISA/pam_krb5.so
    password    required      /lib/security/$ISA/pam_deny.so

    session     required      /lib/security/$ISA/pam_limits.so
    session     required      /lib/security/$ISA/pam_unix.so
    session     optional      /lib/security/$ISA/pam_krb5.so
    session     required      /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog debug

When I login to the machine with this configuration, I get my Kerberos ticket
propagated ok, but no token, and some messages in syslog:

    $ klist
    Ticket cache: FILE:/tmp/krb5cc_10846_QyS612
    Default principal: rns@UNIMELB.EDU.AU

    Valid starting     Expires            Service principal
    09/03/07 17:28:42  09/03/07 19:37:42  krbtgt/UNIMELB.EDU.AU@UNIMELB.EDU.AU
	    renew until 09/03/07 09:38:26


    Kerberos 4 ticket cache: /tmp/tkt10846
    klist: You have no tickets cached

    $ tokens

    Tokens held by the Cache Manager:

       --End of list--



    Sep  3 17:28:42 crashburn sshd(pam_unix)[612]: session opened for user rns by (uid=0)
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: configured realm 'UNIMELB.EDU.AU'
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flags: forwardable
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: no ignore_afs
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: user_check
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: no krb4_convert
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: flag: warn
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: ticket lifetime: 36000
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: renewable lifetime: 36000
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: banner: Kerberos 5
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: ccache dir: /tmp
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: keytab: /etc/krb5.keytab
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: afs cell: unimelb.edu.au
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: no v5 creds for user 'rns', skipping session setup
    Sep  3 17:28:42 crashburn sshd[612]: pam_krb5[612]: pam_open_session returning 0 (Success)

    Sep  3 17:28:42 crashburn sshd[612]: (pam_afs_session): pam_sm_open_session: entry (0x0)
    Sep  3 17:28:42 crashburn sshd[612]: (pam_afs_session): skipping tokens, no Kerberos ticket cache
    Sep  3 17:28:42 crashburn sshd[612]: (pam_afs_session): pam_sm_open_session: exit (success)

So it seems like pam_krb5 and pam-afs-session can't find the
credentials cache.  I'm not sure what order things are happening in
here, and what the interactions between pam, kerberos and openssh are. 
Seems like I've tried just about every combination of parameters for
openssh and pam but no luck.

(I also tried setting "always_aklog" as a flag to pam-afs-session, but
that made no difference).

I've also seen a newer version of pam_krb5 (2.2.x) which supports flags
"useshmem" and "external" that look helpful, but I was hoping not to need
this as I'm trying to stick as much as possible with the vendor supplied
packages (RHEL4 has pam_krb5-2.1.8-1).

Ultimately I'm hoping to extend this configuration to Solaris 10 too ..

Regards,

Robert.