Kerberos tickets, SSH public key auth, AFS tokens
Jeff Blaine
jblaine at stage-infinity.com
Wed Dec 16 22:30:11 EST 2009
On 12/16/2009 10:24 PM, Russ Allbery wrote:
> Jeff Blaine<jblaine at stage-infinity.com> writes:
>
>> Yup, they're there, just no tokens. I even tried a pam_krb5RA2.so and
>> pam_afs_session2.so built against the Sun kerberos instead of our local
>> MIT kerberos for kicks. Same result.
>
>> ~:faron> kdestroy
>> ~:faron> logout
>> Connection to faron closed.
>> ~:cairo> /usr/bin/ssh -o "GSSAPIDelegateCredentials yes" faron
>> ~:faron> klist
>> Ticket cache: FILE:/tmp/krb5cc_26560
>> Default principal: jblaine at RCF.FOO.ORG
>
>> Valid starting Expires Service principal
>> 12/16/09 22:18:51 12/23/09 19:05:33 krbtgt/RCF.FOO.ORG at RCF.FOO.ORG
>> renew until 12/23/09 19:05:33
>
>> Kerberos 4 ticket cache: /tmp/tkt26560
>> klist: You have no tickets cached
>> ~:faron>
>
> Oh, right, I remember this problem now. This is why Douglas has another
> PAM module that does nothing except set KRB5CCNAME in the environment for
> use on Solaris. Solaris uses the default UID-based ticket cache and hence
> doesn't set KRB5CCNAME in the environment.
>
> Try adding always_aklog to the pam_afs_session configuration.
Bingo. That worked.
More information about the Kerberos
mailing list