[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session

Russ Allbery rra@stanford.edu
Thu, 06 Sep 2007 08:58:00 -0700

Ken Aaker <kaaker@brocade.com> writes:

> Thanks for the clues, I am probably missing the host principal. I did
> try various settings of the GSSAPI ssh config parameters, but they
> didn't seem to change the behavior. For the host principle, do I need to
> have those in keytabs?

Yes, you should put it in /etc/krb5.keytab.

> I searched for documentation and found all sorts of stuff, but most of
> it was about older versions of OpenSSH and OpenAFS and didn't apply any
> longer. That added to the confusion, and then there are the other
> related confusion factors, like getting tokens associated with the
> userid instead of a pag, or accidentally available to sshd, so stuff
> seems to work for one user anyway until sshd restarts, or sshd and pam
> claim to get tickets and tokens and then loses them, privilege
> separation, ....

The various PAG and privsep problems shouldn't be an issue if you use
pam-afs-session.  That's largely why I wrote it; I got tired of having a
bunch of different modules that were all broken in different ways.  When
using ssh with GSSAPI credential delegation, you don't even need to
combine it with other PAM modules.

Your original problem wasn't a PAM issue; it didn't get that far.  It was
an ssh privilege delegation issue, in that your client wasn't even
forwarding the tickets.  The ssh -K command-line option is useful here,
since it forces the command-line client to attempt privilege delegation
even if it isn't otherwise configured to do so.  However, you weren't even
getting GSSAPI authentication, which is probably the keytab problem.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>