[OpenAFS] AFS + LDAP + PAM + SSH

Maurizio Santini msantini@pictage.com.ar
Wed, 15 Sep 2004 12:46:54 -0300


Thank you for answering my email.  I took into consideration your
suggestion and I'm now experimenting with kerberos V.  A question that
might be obvious but as I'm new to this it's not to me :)

I've installed kerberos and got it work (I can get a ticket using kinit
or login from a terminal) but the problem is the AFS token that doesn't
get assigned.

I've read about the afs to kerberos migration kit and I wonder if I have
to apply it to be able to use aklog and alike or if it's enough
modifying /etc/pam.d/login file.

Thanks,

Maurizio Santini
System administrator
Ten Roses SRL.

On Wed, 2004-09-08 at 08:26, Sergio Gelato wrote:
> * Maurizio Santini [2004-09-07 19:52:30 -0300]:
> > I'm using openafs 1.2.11 and I've downloaded and installed the latest
> > version of openssh (3.9) to be able to ssh to another host and have the
> > token automatically assigned without having to issue klog again.
> 
> Would you consider migrating to Kerberos 5 for authentication? That's what
> most people are doing, for several good reasons (flaws in the Kerberos 4
> protocol, interoperability with Windows 2000/XP, GSSAPI support), so you'll
> increasingly find that pam_krb5afs is much better supported than pam_afs
> (simply because of the larger user base).
> 
> > I've compiled openssh with pam enabled, configured /etc/pam.d/login, ssh
> > and system-auth and enabled UsePAM in sshd_config but I still have the
> > same problem.  I can ssh and login but I don't get the token unless I
> > issue klog.
> > 
> > These are my pam configuration files:
> [...] 
> > ############################
> > sshd
> > 
> > auth       sufficient   /lib/security/pam_afs.so try_first_pass ignore_root
> 
> All right. This will put your token into the PAG of the sshd process that
> does the authentication. With privilege separation, that process is not
> an ancestor of your login session. That's why turning off privilege
> separation should work around the problem.
> 
> Kerberos 5 would help because in most UNIX implementations the credential
> cache is implemented as a disk file, so direct filiation between the ccache
> creator and the ccache user (the session module that gets an AFS token from
> the TGT) is not required. In principle it should be possible to write a
> custom pam_afs.so that has a similar provision for credential passing
> between processes, but as I said the pam_afs.so user base is shrinking.
> 
> Another way might be for the parent sshd to get its PAG before it forks
> for PrivSep, and for pam_afs.so not to set a new PAG. Then the token
> would be shared among all sshd siblings for the same connection.
> 
> > auth       required     /lib/security/pam_stack.so service=system-auth
> > auth       required     /lib/security/pam_nologin.so
> > account    sufficient   /lib/security/pam_ldap.so
> > account    required     /lib/security/pam_stack.so service=system-auth
> > password   required     /lib/security/pam_stack.so service=system-auth
> > session    optional     /lib/security/pam_afs.so
> > session    required     /lib/security/pam_stack.so service=system-auth
> > session    required     /lib/security/pam_limits.so
> > session    optional     /lib/security/pam_console.so
> > ##########################
> > 
> > system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      /lib/security/pam_env.so
> > auth        sufficient    /lib/security/pam_afs.so ignore_root
> > auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> > auth        required      /lib/security/pam_deny.so
> > account     required      /lib/security/pam_unix.so
> > password    required      /lib/security/pam_cracklib.so retry=3 type=
> > password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> > md5 shadow
> > password    required      /lib/security/pam_deny.so
> > session     required      /lib/security/pam_limits.so
> > session     required      /lib/security/pam_unix.so
> > session     optional      /lib/security/pam_afs.so
> > 
> > I have been looking at previous mailing lists but couldn't find a way to
> > make it work.
> > 
> > Help would be very much appreciated.
> > 
> > Maurizio Santini
> > System administrator
> > Ten Roses SRL.
> >