[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4
Martin Ginkel
mginkel@mpi-magdeburg.mpg.de
Wed, 05 Sep 2007 22:10:03 +0200
Russ Allbery wrote:
> However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the
> PAM session hooks and *then* saves the ticket cache. This is obviously
OK, this explains the behaviour on some old machines here.
>> I've also seen a newer version of pam_krb5 (2.2.x) which supports flags
>> "useshmem" and "external" that look helpful, but I was hoping not to
>> need this as I'm trying to stick as much as possible with the vendor
>> supplied packages (RHEL4 has pam_krb5-2.1.8-1).
This is, what we use on all newer SuSEs
For the old machines, the workaround is, to use GSSAPI (with MIC) and
this /etc/ssh/sshrc (Executed before all user shells, instead of xauth):
#!/bin/sh
if ans=`klist -5 2>/dev/null ` && ! ( echo "$ans"|grep -Fq 'afs@' ) ; then
aklog >/dev/null 2>&1
fi
if test -x /usr/X11/bin/xauth; then
/usr/X11/bin/xauth
fi
HTH
Martin