[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4
Russ Allbery
rra@stanford.edu
Mon, 03 Sep 2007 10:40:09 -0700
Robert Sturrock <rns@unimelb.edu.au> writes:
> I have a question about pam-afs-session, although my problem may actually
> be more related to Openssh and Kerberos.
> I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it
> seems to work fine, provided I use pam to do the authentication rather
> than openssh. This means typing my password even though I've already
> got a ticket on my workstation.
> However, I would ideally like to let openssh do the authentication
> (ie. set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config). The
> client can forward Kerberos credentials and (hopefully)
> pam-afs-session can turn that into a token. Is such a setup possible?
Yes, I use it all the time on Debian.
However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the
PAM session hooks and *then* saves the ticket cache. This is obviously
broken and has been fixed in later versions of sshd, but I don't believe
Red Hat has fixed it in an update. pam-afs-session can't do anything
about this; at the time that it's called, no ticket cache is available
because sshd hasn't written it out yet.
If this is the problem that I remember, there isn't any real solution
other than replacing sshd with a fixed version, but you can work around it
by adding a call to aklog to the system shell initialization files. The
user's PAG is created correctly; the only problem is that aklog is never
run.
> I've also seen a newer version of pam_krb5 (2.2.x) which supports flags
> "useshmem" and "external" that look helpful, but I was hoping not to
> need this as I'm trying to stick as much as possible with the vendor
> supplied packages (RHEL4 has pam_krb5-2.1.8-1).
Won't help for this case, since sshd will still hold on to the ticket
cache for too long and PAM won't see it.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>