[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session

Ken Aaker kaaker@brocade.com
Thu, 06 Sep 2007 10:06:03 -0500

I spent a good portion of the evening trying to get Kerberos credential
passing to work on my home setup, but never got it to work.

I have a nagging suspicion that I'm misunderstanding something basic.

I'm running OpenSuSE 10.2 x86_64, with OpenAFS 1.4.4, krb5-1.5.1, and
OpenSSH 4.4p1, and pam_afs_session 1.4 (freshly downloaded and built).
I've set up /etc/pam.d/common-auth-pc and /etc/pam.d/common-session-pc
to look like the example in Russ's readme file.

When I ssh into the machine, I'm prompted for a password (which isn't
what I'm after). If I enter the password, everything seems to work
properly, I get a new pag, krb5 tickets, and tokens. I do have tickets
and tokens in the session that I ssh from. It seems like I'm missing
whatever triggers ssh to pass over the ticket?

I've been messing with this on and off for years, it's really handy when
it works.


Ken Aaker

Here's my krb5.conf file.

        default_realm = AAKER.ORG
        clockskew = 300

        AAKER.ORG = {
                kdc = sif.aaker.org
                default_domain = aaker.org
                admin_server = sif.aaker.org

        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
        .aaker.org = AAKER.ORG
        pam = {
                ticket_lifetime = 30d
                renew_lifetime = 30
                forwardable = true
                proxiable = true
                retain_after_close = false
                minimum_uid = 1
                use_shmem = sshd