[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session
James Rogers
jrogers@nd.edu
Thu, 6 Sep 2007 11:14:06 -0400
I believe krb5 forwarding requires a host principal for the
forwarding machine. Do you have one for your home machine?
--James
On Sep 6, 2007, at 11:06 AM, Ken Aaker wrote:
> I spent a good portion of the evening trying to get Kerberos
> credential
> passing to work on my home setup, but never got it to work.
>
> I have a nagging suspicion that I'm misunderstanding something basic.
>
> I'm running OpenSuSE 10.2 x86_64, with OpenAFS 1.4.4, krb5-1.5.1, and
> OpenSSH 4.4p1, and pam_afs_session 1.4 (freshly downloaded and built).
> I've set up /etc/pam.d/common-auth-pc and /etc/pam.d/common-session-pc
> to look like the example in Russ's readme file.
>
> When I ssh into the machine, I'm prompted for a password (which isn't
> what I'm after). If I enter the password, everything seems to work
> properly, I get a new pag, krb5 tickets, and tokens. I do have tickets
> and tokens in the session that I ssh from. It seems like I'm missing
> whatever triggers ssh to pass over the ticket?
>
> I've been messing with this on and off for years, it's really handy
> when
> it works.
>
> Thanks,
>
> Ken Aaker
>
> Here's my krb5.conf file.
>
> -----------------------------
> [libdefaults]
> default_realm = AAKER.ORG
> clockskew = 300
>
> [realms]
> AAKER.ORG = {
> kdc = sif.aaker.org
> default_domain = aaker.org
> admin_server = sif.aaker.org
> }
>
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
> [domain_realm]
> .aaker.org = AAKER.ORG
> [appdefaults]
> pam = {
> ticket_lifetime = 30d
> renew_lifetime = 30
> forwardable = true
> proxiable = true
> retain_after_close = false
> minimum_uid = 1
> use_shmem = sshd
> }
> -----------------------------
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info