[OpenAFS] OS X 10.5 and kerberos ssh logins

Stephen Joyce stephen@physics.unc.edu
Thu, 30 Jul 2009 12:29:01 -0400 (EDT) 

On Thu, 30 Jul 2009, Adeyemi Adesanya wrote:
>
> Any chance of providing a very simple configuration recipe? ssh config 
> options and PAM modules?

Sure. I don't think there's any "ZOMGZ!!!1" misconfigurations with this 
config, but if you see any, let me know offlist so I can correct them. I'm 
still learning live in the reality distortion field emanating from 
Cupertino...

/etc/sshd_config:
$ grep -v ^# /etc/sshd_config | grep -v ^$
Protocol 2
SyslogFacility AUTHPRIV
RSAAuthentication yes
PubkeyAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UsePrivilegeSeparation no
Subsystem	sftp	/usr/libexec/sftp-server

/etc/pam.d/sshd
$ grep -v ^# /etc/pam.d/sshd | grep -v ^$
auth       required       pam_nologin.so
auth	   optional	  pam_afpmount.so
auth       sufficient     pam_krb5-1.3.so try_first_pass
auth	   optional       pam_afs_session.so
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so
account    required       pam_securityserver.so
password   required       pam_deny.so
session    required       pam_launchd.so
session    optional	  pam_afpmount.so
session    required       pam_afs_session.so

pam_krb5-1.3.so is pam_krb5-1.3-rc7 from 
http://sourceforge.net/projects/pam-krb5/files/

pam_afs_session.so is from 
http://www.eyrie.org/~eagle/software/pam-afs-session/readme.html

Both were straightforward compilations, but I can provide binaries if 
needed.

I once accidentally stacked pam_securityserver.so before 
pam_krb5 & pam_afs_session (but after having configured /etc/authorization 
to do krb5 auth for the loginwindow). Doing that allowed logins via 
securityd, but without saving tickets or getting tokens. Also remember to 
beware the privilege separation.

Hth.

Cheers, Stephen
--
Stephen Joyce
Systems Administrator
PANIC - Physics and Astronomy Network Infrastructure and Computing
University of North Carolina at Chapel Hill
voice: 919.962.7214
fax: 919.962.0480

Beware any philosophy that will fit in this space.