problem setting up ssh-krb5 from Debian Sarge

Wes Chow wes at woahnelly.net
Fri Oct 29 18:41:17 EDT 2004



After all that, I now have an AFS question.  I'm not sure whether I
should ask the question here or on the OpenAFS list, as it seems at
least to me that it's a Kerberos ticket forwarding problem.

I have PAM and OpenAFS working (/etc/pam.d/common-auth excerpt):

auth    [success=ok default=1]  pam_krb5.so forwardable 
auth    [default=done]          pam_openafs_session.so debug


my sshd_config:

# To change Kerberos options
#KerberosAuthentication no
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
KerberosTicketCleanup yes

# Kerberos TGT Passing does only work with the AFS kaserver
KerberosTgtPassing yes

#GSSAPI authentication
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIUseSessionCredCache yes



The first time I log into the machine from an unkerberized SSH client,
it asks for a password.  I supply it and am then presented the
kerberos tickets as well as an AFS ticket.  So far so good:


wchow at jack's password: 
Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686
GNU/Linux

The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri Oct 29 18:26:27 2004 from monitor2.dev.in.athenacr.com
wchow at jack:~$ klist
Ticket cache: FILE:/tmp/krb5cc_iCScnU
Default principal: wchow at D2702.ATHENACR.COM

Valid starting     Expires            Service principal
10/29/04 18:33:39  10/30/04 04:33:39
host/jack.dev.in.athenacr.com at D2702.ATHENACR.COM
10/29/04 18:33:39  10/30/04 04:33:39
krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
10/29/04 18:33:39  10/30/04 04:33:39
afs/d2702.athenacr.com at D2702.ATHENACR.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
wchow at jack:~$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1000) tokens for afs at d2702.athenacr.com [Expires Oct 30
04:33]
   --End of list--





Then, from jack (which has a kerberized ssh installation), I try to
ssh into itself:


wchow at jack:~$ ssh -K jack
Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004
i686 GNU/Linux

The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri Oct 29 18:33:39 2004 from milhouse.dev.in.athenacr.com
-bash: /home/wchow/.bash_login: Permission denied



The "Permission denied" error is a symptom of not having AFS tickets
since the home directory is mounted on AFS:



wchow at jack:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_gFY789
Default principal: wchow at D2702.ATHENACR.COM

Valid starting     Expires            Service principal
10/29/04 18:33:48  10/30/04 04:33:39
krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
wchow at jack:~$ tokens

Tokens held by the Cache Manager:

   --End of list--



The Kerberos tickets were forwarded correctly, but the AFS ticket was
not.  Is this a problem with my ssh-krb5 installation, or should I be
asking the OpenAFS list about this?

Looking at my /var/log/auth.log output, it looks as if the "ssh -K
jack" command skips pam completely:

Oct 29 18:33:48 jack sshd[787]: (pam_unix) session opened for user
wchow by (uid
=0)
Oct 29 18:33:48 jack sshd[787]: Accepted gssapi for wchow from
192.168.0.6 port 
32771 ssh2


Why is it that AFS tickets aren't being forwarded?

Thanks,
Wes

-- 
http://www.woahnelly.net/~wes/          OpenPGP key = 0xA5CA6644
fingerprint = FDE5 21D8 9D8B 386F 128F  DF52 3F52 D582 A5CA 6644


More information about the Kerberos mailing list