problem setting up ssh-krb5 from Debian Sarge

Fri Oct 29 20:46:37 EDT 2004

Wes Chow wrote:
> After all that, I now have an AFS question.  I'm not sure whether I
> should ask the question here or on the OpenAFS list, as it seems at
> least to me that it's a Kerberos ticket forwarding problem.
>
> I have PAM and OpenAFS working (/etc/pam.d/common-auth excerpt):
>
> auth    [success=ok default=1]  pam_krb5.so forwardable
> auth    [default=done]          pam_openafs_session.so debug
>
> wchow at jack's password:
> Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686
> GNU/Linux
> wchow at jack:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_iCScnU
> Default principal: wchow at D2702.ATHENACR.COM
>
> Valid starting     Expires            Service principal
> 10/29/04 18:33:39  10/30/04 04:33:39
> host/jack.dev.in.athenacr.com at D2702.ATHENACR.COM
> 10/29/04 18:33:39  10/30/04 04:33:39
> krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
> 10/29/04 18:33:39  10/30/04 04:33:39
> afs/d2702.athenacr.com at D2702.ATHENACR.COM
>
> wchow at jack:~$ tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1000) tokens for afs at d2702.athenacr.com [Expires Oct 30
> 04:33]
>   --End of list--
>
> Then, from jack (which has a kerberized ssh installation), I try to
> ssh into itself:
>
>
> wchow at jack:~$ ssh -K jack
> Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004
> i686 GNU/Linux

Well, check your /etc/hosts file.  I believe that Debian puts the 
hostname on the 127.0.0.1 line.  This is not good.
You want to do something like this:
[cclausen at clortho:/]% cat /etc/hosts
127.0.0.1       localhost
128.174.251.6   clortho.acm.uiuc.edu    clortho
128.174.251.37  enzo.acm.uiuc.edu       enzo

Or else you'll end up with Kerberos trying to get tickets for localhost 
and the KDC as well as the client libraries will get confused as to 
which machine is "localhost."

> The Kerberos tickets were forwarded correctly, but the AFS ticket was
> not.  Is this a problem with my ssh-krb5 installation, or should I be
> asking the OpenAFS list about this?

You probably should be asking this question on the OpenAFS list, but 
there are many who read both.

> Looking at my /var/log/auth.log output, it looks as if the "ssh -K
> jack" command skips pam completely:

PAM should not be skipped, even when using credential forwarding.

> Why is it that AFS tickets aren't being forwarded?

AFS tokens are NOT forwarded through SSH.  Instead, you would use your 
forwarded Kerberos tickets to obtain AFS tokens on the remote machine. 
(Usually via PAM, although several sites have modified the OpenSSH 
code.)

You have libpam-openafs-session installed.  Are you using it as a 
session module also?
session    required     pam_openafs_session.so

This could also be a problem with Kerberos tickets not being 
"forwardable."
Please show output from klist -f:

[cclausen at clortho:/]% klist -f
Ticket cache: FILE:/tmp/krb5cc_3qzSel
Default principal: cclausen at ACM.UIUC.EDU

Valid starting     Expires            Service principal
10/29/04 13:35:04  10/29/04 23:35:02  krbtgt/ACM.UIUC.EDU at ACM.UIUC.EDU
        Flags: FPI
10/29/04 13:35:08  10/29/04 23:35:02  afs/acm.uiuc.edu at ACM.UIUC.EDU
        Flags: FPT

The 'F' means that the ticket is forwardable.  If your tickets are not 
forwardable they will only be used for authentication and not actually 
be available in your ccache on the remote machine.

It looks like your tickets are being forwarded though, so its probably 
just the session PAM config for pam_openafs_session.

<<CDC
Christopher D. Clausen
ACM at UIUC SysAdmin 