[OpenAFS] Receiving openafs token per Kerberos 5

Franco Milicchio senseiwa@mac.com
Wed, 20 Feb 2008 17:31:01 +0100 

On Feb 20, 2008, at 5:19pm, michael@derhammer.net wrote:

> Hi at all!
>
> I am trying to use single sign on openssh with kerberos. The  
> authentication part is already working. Now I have the problem of  
> receiving a token after the login. As far as I understand this is  
> the job of pam_afs_session.so. So here is my system-auth which is  
> included in /etc/pam.d/ssh
>
> auth    required    pam_env.so
> auth    [success=ok default=1] pam_krb5.so try_first_pass
> auth    [default=done] pam_afs_session.so

I just use the following for my common authentication:

auth    sufficient      pam_unix.so nullok_secure nodelay
auth    sufficient      pam_krb5.so use_first_pass forwardable
auth    required        pam_deny.so

And for session, I use:

session required        pam_unix.so
session optional        pam_krb5.so
session optional        pam_openafs_session.so


> auth    sufficient  pam_unix.so likeauth nullok try_first_pass
> auth    sufficient  pam_ldap.so use_first_pass
> auth    required  pam_deny.so
>
> account    sufficient   pam_krb5.so
> account    sufficient   pam_ldap.so
> account    sufficient   pam_localuser.so
> account    required   pam_unix.so
>
> password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2  
> ocredit=2 retry=3
> password   sufficient   pam_krb5.so
> password   sufficient   pam_unix.so nullok use_authtok shadow md5
> password   required     pam_deny.so
>
> session  optional  pam_krb5.so
> session  sufficient pam_afs_session.so
> session  optional pam_ldap.so
> session  sufficient pam_unix.so
>
> But pam_afs_session.so is posting following error:
>
> sshd[22617]: (pam_afs_session): no token program set in PAM arguments
>
> This error message is comming twice. I would say for auth and  
> session. I am really out of ideas especially because everything is  
> working fine with a local login. I can't see the difference to the  
> ssh login because the auth part with krb is working AND I do have  
> the krb token after login. A simple aklog is enough to receive the  
> token and I can acces my home directory ...

You first have to get a kerberos ticket (auth stanza) and next start a  
session getting a token (session stanza). My configuration works with  
SSH with SSO on my computers (no password or account stanzas  
mentioning kerberos or afs, I don't need them now).

I hope it helps!