[OpenAFS-port-darwin] Kerberos, Tiger, ssh, and /etc/authorization
Michael Ross
mgross@psych.umass.edu
Thu, 3 Aug 2006 10:43:36 -0400
I've read through the mailing lists, and searched around the web, and
I have to admit that I'm still confused about the state of ssh logins
to AFS Tiger systems.
Several people have stated on this list that the only change
necessary to get Kerberos tickets as a side-effect of logging in
(assuming matching username and password), is to add the
"builtin:krb5login,privileged" mechanism to the system.login.tty
section. [Let's forget about getting AFS tokens for the moment -
first things first.]
I've tried this, with no success (although without the changes I can
type "kinit" after I've logged in and get a perfectly fine set of
Kerberos tickets after re-entering my password). I can't login with
these modifications.
According to secure.log:
Aug 3 10:19:49 vader com.apple.SecurityServer: authinternal
authenticated user mgross (uid 501).
According to system.log:
Aug 3 10:19:49 vader sshd[7637]: error: PAM: Authentication failure
for mgross from rotate.sbs.umass.edu
Apart from the changes to /etc/authorization and my edu.mit.Kerberos
file, everything is as-shipped by Apple, as far as I know.
I'm trying to lend my old MIT research group a hand, and any advice
would be widely appreciated.
----
Michael Ross
mgross@psych.umass.edu