[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4

Martin Ginkel mginkel@mpi-magdeburg.mpg.de
Wed, 05 Sep 2007 22:10:03 +0200

Russ Allbery wrote:
> However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the
> PAM session hooks and *then* saves the ticket cache.  This is obviously

OK, this explains the behaviour on some old machines here.

>> I've also seen a newer version of pam_krb5 (2.2.x) which supports flags
>> "useshmem" and "external" that look helpful, but I was hoping not to
>> need this as I'm trying to stick as much as possible with the vendor
>> supplied packages (RHEL4 has pam_krb5-2.1.8-1).

This is, what we use on all newer SuSEs

For the old machines, the workaround is, to use GSSAPI (with MIC) and
this /etc/ssh/sshrc (Executed before all user shells, instead of xauth):

if ans=`klist -5 2>/dev/null ` && ! ( echo "$ans"|grep -Fq 'afs@' ) ; then
  aklog >/dev/null 2>&1

if test -x /usr/X11/bin/xauth; then