problem setting up ssh-krb5 from Debian Sarge
Christopher D. Clausen
cclausen at acm.org
Fri Oct 29 20:46:37 EDT 2004
Wes Chow wrote:
> After all that, I now have an AFS question. I'm not sure whether I
> should ask the question here or on the OpenAFS list, as it seems at
> least to me that it's a Kerberos ticket forwarding problem.
>
> I have PAM and OpenAFS working (/etc/pam.d/common-auth excerpt):
>
> auth [success=ok default=1] pam_krb5.so forwardable
> auth [default=done] pam_openafs_session.so debug
>
> wchow at jack's password:
> Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686
> GNU/Linux
> wchow at jack:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_iCScnU
> Default principal: wchow at D2702.ATHENACR.COM
>
> Valid starting Expires Service principal
> 10/29/04 18:33:39 10/30/04 04:33:39
> host/jack.dev.in.athenacr.com at D2702.ATHENACR.COM
> 10/29/04 18:33:39 10/30/04 04:33:39
> krbtgt/D2702.ATHENACR.COM at D2702.ATHENACR.COM
> 10/29/04 18:33:39 10/30/04 04:33:39
> afs/d2702.athenacr.com at D2702.ATHENACR.COM
>
> wchow at jack:~$ tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1000) tokens for afs at d2702.athenacr.com [Expires Oct 30
> 04:33]
> --End of list--
>
> Then, from jack (which has a kerberized ssh installation), I try to
> ssh into itself:
>
>
> wchow at jack:~$ ssh -K jack
> Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004
> i686 GNU/Linux
Well, check your /etc/hosts file. I believe that Debian puts the
hostname on the 127.0.0.1 line. This is not good.
You want to do something like this:
[cclausen at clortho:/]% cat /etc/hosts
127.0.0.1 localhost
128.174.251.6 clortho.acm.uiuc.edu clortho
128.174.251.37 enzo.acm.uiuc.edu enzo
Or else you'll end up with Kerberos trying to get tickets for localhost
and the KDC as well as the client libraries will get confused as to
which machine is "localhost."
> The Kerberos tickets were forwarded correctly, but the AFS ticket was
> not. Is this a problem with my ssh-krb5 installation, or should I be
> asking the OpenAFS list about this?
You probably should be asking this question on the OpenAFS list, but
there are many who read both.
> Looking at my /var/log/auth.log output, it looks as if the "ssh -K
> jack" command skips pam completely:
PAM should not be skipped, even when using credential forwarding.
> Why is it that AFS tickets aren't being forwarded?
AFS tokens are NOT forwarded through SSH. Instead, you would use your
forwarded Kerberos tickets to obtain AFS tokens on the remote machine.
(Usually via PAM, although several sites have modified the OpenSSH
code.)
You have libpam-openafs-session installed. Are you using it as a
session module also?
session required pam_openafs_session.so
This could also be a problem with Kerberos tickets not being
"forwardable."
Please show output from klist -f:
[cclausen at clortho:/]% klist -f
Ticket cache: FILE:/tmp/krb5cc_3qzSel
Default principal: cclausen at ACM.UIUC.EDU
Valid starting Expires Service principal
10/29/04 13:35:04 10/29/04 23:35:02 krbtgt/ACM.UIUC.EDU at ACM.UIUC.EDU
Flags: FPI
10/29/04 13:35:08 10/29/04 23:35:02 afs/acm.uiuc.edu at ACM.UIUC.EDU
Flags: FPT
The 'F' means that the ticket is forwardable. If your tickets are not
forwardable they will only be used for authentication and not actually
be available in your ccache on the remote machine.
It looks like your tickets are being forwarded though, so its probably
just the session PAM config for pam_openafs_session.
<<CDC
Christopher D. Clausen
ACM at UIUC SysAdmin
More information about the Kerberos
mailing list