[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4
Ian Ward Comfort
Mon, 3 Sep 2007 14:47:54 -0700
On Sep 3, 2007, at 10:40 AM, Russ Allbery wrote:
> Robert Sturrock <firstname.lastname@example.org> writes:
>> I have a question about pam-afs-session, although my problem may
>> actually be more related to Openssh and Kerberos.
>> I installed pam-afs-session on RHEL4 and (after some PAM
>> tinkering) it seems to work fine, provided I use pam to do the
>> authentication rather than openssh. This means typing my password
>> even though I've already got a ticket on my workstation.
>> However, I would ideally like to let openssh do the authentication
>> (ie. set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config).
>> The client can forward Kerberos credentials and (hopefully) pam-
>> afs-session can turn that into a token. Is such a setup possible?
> Yes, I use it all the time on Debian.
> However, if I remmeber correctly, RHEL 4 ships a broken sshd that
> runs the PAM session hooks and *then* saves the ticket cache. This
> is obviously broken and has been fixed in later versions of sshd,
> but I don't believe Red Hat has fixed it in an update. pam-afs-
> session can't do anything about this; at the time that it's called,
> no ticket cache is available because sshd hasn't written it out yet.
That's correct. I believe this bug was fixed for OpenSSH 4.0+.
RHEL4 ships a patched OpenSSH 3.9p1, but does not include the fix for
I put a call to aklog in .bash_profile on all my RHEL boxes, as Russ
suggests, though that's obviously a less than ideal arrangement.
Ian Ward Comfort <email@example.com>
System Administrator, Student Computing, Stanford University