problem setting up ssh-krb5 from Debian Sarge
Wes Chow
wes at woahnelly.net
Fri Oct 29 18:41:17 EDT 2004
After all that, I now have an AFS question. I'm not sure whether I
should ask the question here or on the OpenAFS list, as it seems at
least to me that it's a Kerberos ticket forwarding problem.
I have PAM and OpenAFS working (/etc/pam.d/common-auth excerpt):
auth [success=ok default=1] pam_krb5.so forwardable
auth [default=done] pam_openafs_session.so debug
my sshd_config:
# To change Kerberos options
#KerberosAuthentication no
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
KerberosTicketCleanup yes
# Kerberos TGT Passing does only work with the AFS kaserver
KerberosTgtPassing yes
#GSSAPI authentication
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIUseSessionCredCache yes
The first time I log into the machine from an unkerberized SSH client,
it asks for a password. I supply it and am then presented the
kerberos tickets as well as an AFS ticket. So far so good:
wchow at jack's password:
Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686
GNU/Linux
The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri Oct 29 18:26:27 2004 from monitor2.dev.in.athenacr.com
wchow at jack:~$ klist
Ticket cache: FILE:/tmp/krb5cc_iCScnU
Default principal: wchow at D2702.ATHENACR.COM
Valid starting Expires Service principal
10/29/04 18:33:39 10/30/04 04:33:39
host/jack.dev.in.athenacr.com at D2702.ATHENACR.COM
10/29/04 18:33:39 10/30/04 04:33:39
krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
10/29/04 18:33:39 10/30/04 04:33:39
afs/d2702.athenacr.com at D2702.ATHENACR.COM
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
wchow at jack:~$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 1000) tokens for afs at d2702.athenacr.com [Expires Oct 30
04:33]
--End of list--
Then, from jack (which has a kerberized ssh installation), I try to
ssh into itself:
wchow at jack:~$ ssh -K jack
Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004
i686 GNU/Linux
The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri Oct 29 18:33:39 2004 from milhouse.dev.in.athenacr.com
-bash: /home/wchow/.bash_login: Permission denied
The "Permission denied" error is a symptom of not having AFS tickets
since the home directory is mounted on AFS:
wchow at jack:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_gFY789
Default principal: wchow at D2702.ATHENACR.COM
Valid starting Expires Service principal
10/29/04 18:33:48 10/30/04 04:33:39
krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
wchow at jack:~$ tokens
Tokens held by the Cache Manager:
--End of list--
The Kerberos tickets were forwarded correctly, but the AFS ticket was
not. Is this a problem with my ssh-krb5 installation, or should I be
asking the OpenAFS list about this?
Looking at my /var/log/auth.log output, it looks as if the "ssh -K
jack" command skips pam completely:
Oct 29 18:33:48 jack sshd[787]: (pam_unix) session opened for user
wchow by (uid
=0)
Oct 29 18:33:48 jack sshd[787]: Accepted gssapi for wchow from
192.168.0.6 port
32771 ssh2
Why is it that AFS tickets aren't being forwarded?
Thanks,
Wes
--
http://www.woahnelly.net/~wes/ OpenPGP key = 0xA5CA6644
fingerprint = FDE5 21D8 9D8B 386F 128F DF52 3F52 D582 A5CA 6644
More information about the Kerberos
mailing list