[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4

Ian Ward Comfort icomfort@rescomp.stanford.edu
Mon, 3 Sep 2007 14:47:54 -0700

On Sep 3, 2007, at 10:40 AM, Russ Allbery wrote:
> Robert Sturrock <rns@unimelb.edu.au> writes:
>> I have a question about pam-afs-session, although my problem may  
>> actually be more related to Openssh and Kerberos.
>> I installed pam-afs-session on RHEL4 and (after some PAM  
>> tinkering) it seems to work fine, provided I use pam to do the  
>> authentication rather than openssh.  This means typing my password  
>> even though I've already got a ticket on my workstation.
>> However, I would ideally like to let openssh do the authentication  
>> (ie.  set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config).   
>> The client can forward Kerberos credentials and (hopefully) pam- 
>> afs-session can turn that into a token.  Is such a setup possible?
> Yes, I use it all the time on Debian.
> However, if I remmeber correctly, RHEL 4 ships a broken sshd that  
> runs the PAM session hooks and *then* saves the ticket cache.  This  
> is obviously broken and has been fixed in later versions of sshd,  
> but I don't believe Red Hat has fixed it in an update.  pam-afs- 
> session can't do anything about this; at the time that it's called,  
> no ticket cache is available because sshd hasn't written it out yet.

That's correct.  I believe this bug was fixed for OpenSSH 4.0+.   
RHEL4 ships a patched OpenSSH 3.9p1, but does not include the fix for  
this bug.

I put a call to aklog in .bash_profile on all my RHEL boxes, as Russ  
suggests, though that's obviously a less than ideal arrangement.

Ian Ward Comfort <icomfort@rescomp.stanford.edu>
System Administrator, Student Computing, Stanford University