[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session
Ken Aaker
kaaker@brocade.com
Thu, 06 Sep 2007 10:06:03 -0500
I spent a good portion of the evening trying to get Kerberos credential
passing to work on my home setup, but never got it to work.
I have a nagging suspicion that I'm misunderstanding something basic.
I'm running OpenSuSE 10.2 x86_64, with OpenAFS 1.4.4, krb5-1.5.1, and
OpenSSH 4.4p1, and pam_afs_session 1.4 (freshly downloaded and built).
I've set up /etc/pam.d/common-auth-pc and /etc/pam.d/common-session-pc
to look like the example in Russ's readme file.
When I ssh into the machine, I'm prompted for a password (which isn't
what I'm after). If I enter the password, everything seems to work
properly, I get a new pag, krb5 tickets, and tokens. I do have tickets
and tokens in the session that I ssh from. It seems like I'm missing
whatever triggers ssh to pass over the ticket?
I've been messing with this on and off for years, it's really handy when
it works.
Thanks,
Ken Aaker
Here's my krb5.conf file.
-----------------------------
[libdefaults]
default_realm = AAKER.ORG
clockskew = 300
[realms]
AAKER.ORG = {
kdc = sif.aaker.org
default_domain = aaker.org
admin_server = sif.aaker.org
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.aaker.org = AAKER.ORG
[appdefaults]
pam = {
ticket_lifetime = 30d
renew_lifetime = 30
forwardable = true
proxiable = true
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
}
-----------------------------