[OpenAFS] OpenSSH, Kerberos and pam-afs-session on RHEL4

Dave Botsch botsch@cnf.cornell.edu
Wed, 5 Sep 2007 17:04:45 -0400 

Has a bug report on this particular issue been filed with redhat?

On Mon, Sep 03, 2007 at 10:40:09AM -0700, Russ Allbery wrote:
> Robert Sturrock <rns@unimelb.edu.au> writes:
> 
> > I have a question about pam-afs-session, although my problem may actually
> > be more related to Openssh and Kerberos.
> 
> > I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it
> > seems to work fine, provided I use pam to do the authentication rather
> > than openssh.  This means typing my password even though I've already
> > got a ticket on my workstation.
> 
> > However, I would ideally like to let openssh do the authentication
> > (ie.  set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config).  The
> > client can forward Kerberos credentials and (hopefully)
> > pam-afs-session can turn that into a token.  Is such a setup possible?
> 
> Yes, I use it all the time on Debian.
> 
> However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the
> PAM session hooks and *then* saves the ticket cache.  This is obviously
> broken and has been fixed in later versions of sshd, but I don't believe
> Red Hat has fixed it in an update.  pam-afs-session can't do anything
> about this; at the time that it's called, no ticket cache is available
> because sshd hasn't written it out yet.
> 
> If this is the problem that I remember, there isn't any real solution
> other than replacing sshd with a fixed version, but you can work around it
> by adding a call to aklog to the system shell initialization files.  The
> user's PAG is created correctly; the only problem is that aklog is never
> run.
> 
> > I've also seen a newer version of pam_krb5 (2.2.x) which supports flags
> > "useshmem" and "external" that look helpful, but I was hoping not to
> > need this as I'm trying to stick as much as possible with the vendor
> > supplied packages (RHEL4 has pam_krb5-2.1.8-1).
> 
> Won't help for this case, since sshd will still hold on to the ticket
> cache for too long and PAM won't see it.
> 
> -- 
> Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 

-- 
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************