Help: Can OpenSSH get OpenAFS token after the client login?

Markus Moeller huaraz at moeller.plus.com
Sat Jun 11 13:22:27 EDT 2011


If I remember right when GSSAPIauthentication is used and the client has a 
valid Kerberos ticket pam won't be called on the server, so the pam module 
won't help in that case.

Markus

"Booker Bense" <bbense at slac.stanford.edu> wrote in message 
news:alpine.LRH.2.00.1106110716160.24038 at telemark.slac.stanford.edu...
>
> For various reasons[1] I've found that the pam solution doesn't cover all 
> bases and I've resorted to putting aklog in
>
> /etc/ssh/sshrc
>
> If you have an sshrc it needs to deal with the xauth stuff as well.
>
> #
> # Evil workaround for pam sshd stupidity.
> if [ -n "$KRB5CCNAME" ] && [ -x /usr/bin/aklog ]; then
>  /usr/bin/aklog
> fi
> if read proto cookie && [ -n "$DISPLAY" ]; then
>                      if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; 
> then
>                              # X11UseLocalhost=yes
>                              echo add unix:`echo $DISPLAY |
>                                  cut -c11-` $proto $cookie
>                      else
>                              # X11UseLocalhost=no
>                              echo add $DISPLAY $proto $cookie
>                      fi | /usr/bin/xauth -q -
> fi
>
> - Booker C. Bense
>
> [1]- To be honest I've forgotten exactly what the combination was, but 
> there was one edge case that I just couldn't get the
> pam based solution to work. The sshrc solution is also required
> on OS X. 





More information about the Kerberos mailing list