[OpenAFS] AFS + LDAP + PAM + SSH

Maurizio Santini msantini@pictage.com.ar
Tue, 07 Sep 2004 19:52:30 -0300 

I'm using openafs 1.2.11 and I've downloaded and installed the latest
version of openssh (3.9) to be able to ssh to another host and have the
token automatically assigned without having to issue klog again.

I've compiled openssh with pam enabled, configured /etc/pam.d/login, ssh
and system-auth and enabled UsePAM in sshd_config but I still have the
same problem.  I can ssh and login but I don't get the token unless I
issue klog.

These are my pam configuration files:

/etc/pam.d/login
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_afs.so try_first_pass
ignore_root
auth       required     /lib/security/pam_stack.so service=system-auth
account    sufficient   /lib/security/pam_ldap.so
#account    sufficient  /lib/security/pam_afs.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    sufficient   /lib/security/pam_afs.so
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

############################
sshd

auth       sufficient   /lib/security/pam_afs.so try_first_pass
ignore_root
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_afs.so
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
##########################

system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_afs.so ignore_root
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_afs.so

I have been looking at previous mailing lists but couldn't find a way to
make it work.

Help would be very much appreciated.

Maurizio Santini
System administrator
Ten Roses SRL.