[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4

Russ Allbery rra@stanford.edu
Mon, 03 Sep 2007 10:40:09 -0700

Robert Sturrock <rns@unimelb.edu.au> writes:

> I have a question about pam-afs-session, although my problem may actually
> be more related to Openssh and Kerberos.

> I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it
> seems to work fine, provided I use pam to do the authentication rather
> than openssh.  This means typing my password even though I've already
> got a ticket on my workstation.

> However, I would ideally like to let openssh do the authentication
> (ie.  set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config).  The
> client can forward Kerberos credentials and (hopefully)
> pam-afs-session can turn that into a token.  Is such a setup possible?

Yes, I use it all the time on Debian.

However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the
PAM session hooks and *then* saves the ticket cache.  This is obviously
broken and has been fixed in later versions of sshd, but I don't believe
Red Hat has fixed it in an update.  pam-afs-session can't do anything
about this; at the time that it's called, no ticket cache is available
because sshd hasn't written it out yet.

If this is the problem that I remember, there isn't any real solution
other than replacing sshd with a fixed version, but you can work around it
by adding a call to aklog to the system shell initialization files.  The
user's PAG is created correctly; the only problem is that aklog is never

> I've also seen a newer version of pam_krb5 (2.2.x) which supports flags
> "useshmem" and "external" that look helpful, but I was hoping not to
> need this as I'm trying to stick as much as possible with the vendor
> supplied packages (RHEL4 has pam_krb5-2.1.8-1).

Won't help for this case, since sshd will still hold on to the ticket
cache for too long and PAM won't see it.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>