Can't get ssh over k5/afs working well

Douglas E. Engert deengert at anl.gov
Tue Aug 17 14:29:06 EDT 2004


Sam,
I was just looking at the OpenSSH-3.8 whihc is in testing, to see
how I could get ride of my last mod. It was geting an AFS token.
I was developing a pam_afs2.so wihc had a pam_sm_open_session
routine that would look for the KRB5CCNAME in the pam environment
so aklog could be called.

But to get this set by the OpenSSH code required the call to
ssh_gssapi_storecreds to be moved up somewhat in the code.

It sounds like debian has done something simmiliar.
Is the code available? Did you need OpenSSH modifications?

The intent of the change was to seperate out and requirement
of OpenSSH to be compiled with any AFS code, and to not require
pam_krb5 to have any knowledge of AFS as well. All that is
needed is for OpenSSH or pam_krb5 to have established the
ticket cache and set KRB5CCNAME. Then the pam_afs2 would
get a PAG and call aklog.

Sam Hartman wrote:

> In debian, using the ssh-krb5 package with a pam config like:
> 
> auth [success=ok default=1] pam_krb5.so forwardable
> auth [default=1] pam_permit.so
> auth       required     pam_unix.so try_first_pass
> auth [default=ignore] pam_openafs_session.so
> 
> 
> should mostly do what you want.
> 
> Note that the ssh gssapi support between 3.4/3.6 and 3.8 is
> incompatible.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list