Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Ralf Brunckhorst]

Hi Stephan,

since Redhat has removed the support for DES/DES3 enctypes completely in 
RHEL8.3 (and newer) and your client is still using it (I can see it in 
your provided log: (enctype=1)|(enctype=2)|(enctype=3)) it will fail.


RHEL8.3 and newer: completely removed support for DES and DES3 keys:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/rhel-8-3-0-release#deprecated-functionality_identity-management

Could you check your Master key on your Kerberos server via: kdb5_util 
list_mkeys
Maybe a re-key of the Master key is needed as well (if it is still on 
DES or DES3).


Regards,
--
Ralf Brunckhorst
rbrunckho...@sinenomine.net

On 11 Jul 2022, at 10:30, Stephan Wonczak wrote:


  Hi Jeffrey,
  Thanks for having a look at the problem.
  However, I obviously did not do a very good job detailing exactly 
what we did ... so here's my next try. Warning: It is going to be 
lengthy :-)


  First off: We do not use SSSD. And we would like to keep it that 
way, since it caused various massive problems in the past.


  On RHEL-7, everything works perfectly. We are using the 
RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
 Looking at the debug-output of the module, this is what the relevant 
part looks like:


Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: 
pam_unix(sshd:session): session opened for user  by (uid=0)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
default/local realm 'RRZ.UNI-KOELN.DE'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
configured realm 'RRZ.UNI-KOELN.DE'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: debug
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: don't always_allow_localname
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no ignore_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no null_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no cred_session
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no ignore_k5login
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: user_check
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
will try previously set password first
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
will ask for a password if that fails
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
will let libkrb5 ask questions
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: use_shmem
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: external
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: no multiple_ccaches
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: validate
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
flag: warn
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
banner: Kerberos 5
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
ccache dir: /tmp
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
ccname template: FILE:%d/krb5cc_%U_XX
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
keytab: FILE:/etc/krb5.keytab
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
token strategy: 2b
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
removing shared memory segment 3 creator pid 3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
cleanup function removing shared memory segment 3 belonging to process 
3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
obtaining afs tokens
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
creating new PAG
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
obtaining tokens for local cell 'rrz.uni-koeln.de'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
trying with ticket (2b)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
attempting to determine realm for "rrz.uni-koeln.de"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
file server 134.95.67.97 has name afs.thp.uni-koeln.de
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul  8 

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Stephan Wonczak]

  Hi Jeffrey,
  Thanks for having a look at the problem.
  However, I obviously did not do a very good job detailing exactly what 
we did ... so here's my next try. Warning: It is going to be lengthy :-)


  First off: We do not use SSSD. And we would like to keep it that way, 
since it caused various massive problems in the past.


  On RHEL-7, everything works perfectly. We are using the RedHat-supplied 
RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
 Looking at the debug-output of the module, this is what the relevant part 
looks like:


Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: 
pam_unix(sshd:session): session opened for user  by (uid=0)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
default/local realm 'RRZ.UNI-KOELN.DE'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
configured realm 'RRZ.UNI-KOELN.DE'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
debug
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
don't always_allow_localname
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
no ignore_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
no null_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
no cred_session
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
no ignore_k5login
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
user_check
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will 
try previously set password first
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will 
ask for a password if that fails
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will 
let libkrb5 ask questions
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
use_shmem
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
external
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
no multiple_ccaches
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
validate
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
warn
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
banner: Kerberos 5
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache 
dir: /tmp
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname 
template: FILE:%d/krb5cc_%U_XX
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
keytab: FILE:/etc/krb5.keytab
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token 
strategy: 2b
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
removing shared memory segment 3 creator pid 3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
cleanup function removing shared memory segment 3 belonging to process 
3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
obtaining afs tokens
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
creating new PAG
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
obtaining tokens for local cell 'rrz.uni-koeln.de'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying 
with ticket (2b)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
attempting to determine realm for "rrz.uni-koeln.de"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file 
server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file 
server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file 
server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file 
server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file 
server 134.95.67.97 has name afs.thp.uni-koeln.de
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
attempting to obtain tokens for "rrz.uni-koeln.de" 
("afs/rrz.uni-koeln...@rrz.uni-koeln.de")
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got 
tokens for cell "rrz.uni-koeln.de"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no 
additional afs cells configured



  We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a 
rebuild on a RHEL-8-Machine. This worked without any errors.

  However, when we try to use this to get a token, this happens:

Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_unix(sshd:session): session opened for user a0537 by (uid=0)
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de 

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

Not surprised that they patched something useful in. And it is a useful
option.

thanks

On Mon, Jul 11, 2022 at 12:40:57PM -0700, Carson Gaspar wrote:
> This is a Red Hat patch: openssh-7.7p1-gssapi-new-unique.patch
> 
> On 7/11/2022 12:26 PM, Dirk Heinrichs wrote:
> > Dave Botsch:
> > 
> > > Maybe it's not in newer release of openssh?
> > Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't
> > have it. See
> > https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html
> > 
> > Bye...
> > 
> >      Dirk
> > 
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Carson Gaspar]

This is a Red Hat patch: openssh-7.7p1-gssapi-new-unique.patch

On 7/11/2022 12:26 PM, Dirk Heinrichs wrote:

Dave Botsch:


Maybe it's not in newer release of openssh?

Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't
have it. See
https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html

Bye...

     Dirk


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

Yup, I see that that option is not there on rhel6 with
openssh-server-5.3p1-124.el6_10.x86_64

so must be a new option. And something that was clearly handled
differently on RHEL6.

thanks!

On Mon, Jul 11, 2022 at 09:26:54PM +0200, Dirk Heinrichs wrote:
> Dave Botsch:
> 
> > Maybe it's not in newer release of openssh?
> 
> Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't
> have it. See
> https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html
> 
> Bye...
> 
>     Dirk
> 
> -- 
> Dirk Heinrichs 
> Matrix-Adresse: @heini:chat.altum.de
> GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
> Privacy Handbuch: https://www.privacy-handbuch.de
> 




-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dirk Heinrichs]

Dave Botsch:

> Maybe it's not in newer release of openssh?

Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't
have it. See
https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html

Bye...

    Dirk

-- 
Dirk Heinrichs 
Matrix-Adresse: @heini:chat.altum.de
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
Privacy Handbuch: https://www.privacy-handbuch.de



OpenPGP_signature
Description: OpenPGP digital signature

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

Maybe it's not in newer release of openssh?

RHEL8 is using:

$ rpm -q openssh-server
openssh-server-8.0p1-13.el8.x86_64

And from the man page:


KerberosUniqueCCache

 Specifies whether to store the acquired tickets in the
 per-session credential cache under /tmp/ or whether to use
 per-user credential cache as configured in /etc/krb5.conf.
 The default value no can lead to overwriting previous
 tickets by subseqent connections to the same user account.


And this gets a bit interesting depending on what's in /etc/krb5.conf
and if using sssd what's in sssd.conf for kerberos.


Thanks.

On Mon, Jul 11, 2022 at 07:54:12PM +0200, Dirk Heinrichs wrote:
> Dave Botsch:
> 
> > KerberosUniqueCCache=yes in sshd.conf
> 
> Could you elaborate on what this option is good for? I can't find it in
> sshd_config(5), neither on a Debian Bookworm system with OpenSSH 9.0,
> nor in online man-pages of Arch Linux or upstream OpenSSH. Is this some
> special RH-only thing?
> 
> Thanks a lot...
> 
>     Dirk
> 
> -- 
> Dirk Heinrichs 
> Matrix-Adresse: @heini:chat.altum.de
> GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
> Privacy Handbuch: https://www.privacy-handbuch.de
> 




-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dirk Heinrichs]

Dave Botsch:

> KerberosUniqueCCache=yes in sshd.conf

Could you elaborate on what this option is good for? I can't find it in
sshd_config(5), neither on a Debian Bookworm system with OpenSSH 9.0,
nor in online man-pages of Arch Linux or upstream OpenSSH. Is this some
special RH-only thing?

Thanks a lot...

    Dirk

-- 
Dirk Heinrichs 
Matrix-Adresse: @heini:chat.altum.de
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
Privacy Handbuch: https://www.privacy-handbuch.de



OpenPGP_signature
Description: OpenPGP digital signature

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

Since we are not using PAGs anymore on most of our systems and instead
using UID based logins for tokens, I should retest and see what does and
doesn't work with keyrings as I honestly don't recall at this point, and
things have changed with the various point releases of RHEL8. One of the
challenges when testing is that things can appear to work when in
reality, the last login didn't actually destroy all credentials.

My memory does say, though, that on login we did successfully get
kerberos tickets in the keyring (aklog may be a different story,
though, and I have a note that that didn't work without:
KerberosUniqueCCache=yes in sshd.conf, though no more details, stream of
thought comments Lol)

There's a couple of systems where we still use PAGs so that when a user
logouts with multiple logins, their other logins still have tokens. With
systemd-login, that may not actually be needed to accomplish said end
goal. 

All future stuff to play with. 

On Mon, Jul 11, 2022 at 01:20:31PM -0400, Ken Hornstein wrote:
> >We went back to using FILE based caches for use along with PAGs.
> >Something didn't work right with keyring caches, and I don't recall
> >what.
> 
> Ah-HA.  I was wondering about that.  I suspect you ran into the base
> problem that my PAM stack solves, namely that _in_ the PAM stack you're
> running as root and that creates a keyring cache owned by root which
> doesn't work after you call setuid().
> 
> It's kind of a challenging corner case; you receive forwarded
> credentials in a daemon running as root, but then you have to write
> them out as the user.  How do you do that at the right point in the
> daemon process, especially when they assume after setuid() is called
> they have all of the normal rights of a user?  My solution was designed
> so that after you exited the session stack you had all of the Kerberos
> and AFS stuff set up properly.  I'm open to other ideas!  But recall
> that for us keyrings are a hard requirement.
> 
> --Ken

-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

We went back to using FILE based caches for use along with PAGs.
Something didn't work right with keyring caches, and I don't recall
what.

I believe our general path was, keyring didn't work, ok, go to file
based. Now get sssd and pam_afs_session working properly and work around
the krb5-1.18 breakage. Did we ever go back to trying keyring again? Not
sure.

Of course, on several systems, we have eliminated the use of PAGs due to
the aforementioned problems with systemd-login and gnome-shell stuff not
working properly with PAGs. So on those, could probably switch back to
keyring credentials.

thanks.


On Mon, Jul 11, 2022 at 11:05:33AM -0400, Ken Hornstein wrote:
> >I think all we had to do, actually, was set appropriate options for
> >GSSAPI in sshd_config ... and make sure it was still using PAM for the
> >account and session pieces.
> 
> Right, but do you use both keyring credential caches and PAGs?  Those two
> were what made things difficult for us.  In my experience if the keyring
> credential cache is owned by root then you can't add new credentials to
> it as a vanilla user (and vice versa).
> 
> --Ken

-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

I think all we had to do, actually, was set appropriate options for
GSSAPI in sshd_config ... and make sure it was still using PAM for the
account and session pieces.


We did not have to use any stashcred or chuse stuff... our session stack
looks like:

session optional pam_keyinit.so revoke
session required pam_limits.so
-sessionoptional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session optional pam_afs_session.so program=/opt/local/bin/aklog
session required pam_unix.so
session optional pam_sss.so


(We had to recompile aklog to deal with krb5-1.18 breaking unique
kerberos caches, hence pointing to the other external aklog program,
which does, btw, work with the standard pam_afs_session)

I believe all we did was to add the pam_afs_session line to the session
stack.


Thanks.

On Mon, Jul 11, 2022 at 10:14:39AM -0400, Ken Hornstein wrote:
> >(of course, authenticating with kerberos tickets instead of passwords is
> >a tad more complicated with ssshd doing stuff, too).
> 
> Yeah, tell me about it.  This is the PAM stack we ended up with:
> 
> session required pam_stashcred.so save
> session required pam_chuser.so r2user
> session required pam_afs_session.so notokens
> session required pam_chuser.so r2e
> session required pam_chuser.so e2user
> session required pam_stashcred.so restore force-keyring
> session required pam_chuser.so e2r
> session required pam_afs_session.so nopag
> 
> stashcred and chuser are PAM modules I wrote.  For us the use of keyring
> credential caches is non-negotiable, but the owner of the session keyring
> ends up being wrong without some help.  And sadly the owner of the AFS
> PAG is based on the real userid, but the Kerberos credential cache owner
> is based on the effective userid.  So we use stashcred to save the
> Kerberos credential cache internally (received via credential forwarding),
> set the real userid to the value of the authenticated userid using
> chuser, create the PAG with pam_afs_session so it is owned by the
> authenticated user, switch things so now the effective userid is the
> authenticated userid, restore the Kerberos credential cache (and force
> it to be keyring and set KRB5CCNAME appropriately), switch everything
> back so we're running as root again, and THEN get an AFS token.  It's
> a mess, but we get keyring credential caches and PAGs and it all works.
> 
> --Ken
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Stephan Wonczak]

  Hi all!
  Jeffrey pointed us in the right direction - and most useful, a reason 
why it failed for us. Kudos to Jeffrey, as always!
  Since we won't touch SSSD with a 10-yard-stick, we gave 
pam_afs_session.so a spin. And lo and behold: It really worked!


  We have the following in our password-auth:

(...)
authsufficientpam_krb5.so forward_pass ignore_afs=true
authrequired  pam_afs_session.so program=/usr/bin/aklog
authrequired  pam_deny.so

(...)
session optional  pam_krb5.so ignore_afs=true
session required  pam_afs_session.so program=/usr/bin/aklog

  Still needs a bit more testing, but now AFS-Login is working and no sssd 
in sight ;-) Might be useful to others with a similar problem.


  Cheers from Cologne,
  Stephan

On Mon, 11 Jul 2022, Dave Botsch wrote:


I wanted to mention that we are successfully doing ssh and gnome-shell
logins with pam_sssd where sssd takes care of authN via kerberos and via
ldap provides group information, and pam_afs_session to get afs tokens.

Two difficulties... if using PAGSHs, not all processes run inside a
pagsh, which can break gnome-shell stuff. So not using PAGsh is
recommended.

and with systemd_login, it and subprocesses don't necessarily quit on
logout. Which means they are sitting there banging away against afs with
no tokens (if you use afs homedirs). There is an option to force
systemd_login to quit at logout, though this breaks the use of things
like screen and tmux, iirc.

I'm happy to provide our configs (we worked with RedHat support to get
sssd working properly migrating from nslcd and pam_krb5 on rhel6).

thanks


On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote:

Only if you let sssd touch Kerberos. There are any number of reasons not
to let it do so (no clue if the KRB5 and LDAP problems are fixed in
later versions, but the EL8 code was written by crazed weasels on
crack). But I'd use Russ' pam_krb5 instead of one from EL7
(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which
would probably require you use pam_afs_session as suggested (unless I'm
missing something in the docs, which is very possible).


I guess this explains why when everyone talks about the Kerberos issues
they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd
anywhere near Kerberos and it sounds like that's a bad idea (at least
for the things we want to do).

--Ken
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


--

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info



Dipl. Chem. Dr. Stephan Wonczak

Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

In our case, we use multiple kerberos domains to authenticate users. 

So in pam.d/password-auth...

authsufficient   pam_sss.so
forward_pass


then lets sssd take care of figuring out via an ldap lookup, which
kerberos domain to authenticate the user against.

(of course, authenticating with kerberos tickets instead of passwords is
a tad more complicated with ssshd doing stuff, too).

nsswitch is also involved for lines like:

account sufficient pam_succeed_if.so user ingroup users

(where the group users is populated by sssd via ldap lookup into AD)

Thanks.

On Mon, Jul 11, 2022 at 09:43:48AM -0400, Ken Hornstein wrote:
> >I wanted to mention that we are successfully doing ssh and gnome-shell
> >logins with pam_sssd where sssd takes care of authN via kerberos and via
> >ldap provides group information, and pam_afs_session to get afs tokens.
> 
> I guess _this_ is the part I'm confused about; why is pam_sss in there?
> I know that other people do this so I'm sure there's a reason, but we
> never found it necessary.  We do use sssd, but only via nsswitch;
> we control per-host access with ldap-based netgroups.
> 
> --Ken

-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dave Botsch]

I wanted to mention that we are successfully doing ssh and gnome-shell
logins with pam_sssd where sssd takes care of authN via kerberos and via
ldap provides group information, and pam_afs_session to get afs tokens.

Two difficulties... if using PAGSHs, not all processes run inside a
pagsh, which can break gnome-shell stuff. So not using PAGsh is
recommended.

and with systemd_login, it and subprocesses don't necessarily quit on
logout. Which means they are sitting there banging away against afs with
no tokens (if you use afs homedirs). There is an option to force
systemd_login to quit at logout, though this breaks the use of things
like screen and tmux, iirc.

I'm happy to provide our configs (we worked with RedHat support to get
sssd working properly migrating from nslcd and pam_krb5 on rhel6).

thanks


On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote:
> >Only if you let sssd touch Kerberos. There are any number of reasons not 
> >to let it do so (no clue if the KRB5 and LDAP problems are fixed in 
> >later versions, but the EL8 code was written by crazed weasels on 
> >crack). But I'd use Russ' pam_krb5 instead of one from EL7 
> >(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which 
> >would probably require you use pam_afs_session as suggested (unless I'm 
> >missing something in the docs, which is very possible).
> 
> I guess this explains why when everyone talks about the Kerberos issues
> they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd
> anywhere near Kerberos and it sounds like that's a bad idea (at least
> for the things we want to do).
> 
> --Ken
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Jeffrey E Altman]

reply inline

On 7/11/2022 4:30 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote:

Hi Jeffrey,
  Thanks for having a look at the problem.
  However, I obviously did not do a very good job detailing exactly 
what we did ... so here's my next try. Warning: It is going to be 
lengthy :-)


  First off: We do not use SSSD. And we would like to keep it that 
way, since it caused various massive problems in the past.


  On RHEL-7, everything works perfectly. We are using the 
RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64


The version of pam_krb5 is not the only variable that matters. As I 
mentioned in my earlier replies pam_krb5-2.4.8-6.el7 does not include 
support for rxkad-kdf which is required in order to make use of Kerberos 
encryption types other than des-cbc-crc for example 
aes256-cts-hmac-sha1-96.   Without that functonality pam_krb5 only works 
with Kerberos v5 service tickets whose session keys are des-cbc-crc.






We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a 
rebuild on a RHEL-8-Machine. This worked without any errors.

  However, when we try to use this to get a token, this happens:

...
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=2) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=3) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" 
("a...@rrz.uni-koeln.de")
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=1) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=2) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'a...@rrz.uni-koeln.de' (enctype=3) on behalf of 
'a0...@rrz.uni-koeln.de': No credentials found with supported 
encryption types

...


   ETYPE_DES_CBC_CRC(1)
   ETYPE_DES_CBC_MD4(2)
   ETYPE_DES_CBC_MD5(3)

The pam_krb5 from rhel7 only knows how to request tickets with DES 
encryption types.  It assumes that OpenAFS cannot support anything else 
because it does not have the rxkad-kdf functionality that was added to 
pam_krb5 post-rhel7 (Jan 4, 2016):


https://github.com/frozencemetery/pam_krb5/commit/3be27655bf9d2520e776ef22ba6bb9486005fff1

To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. On 
RHEL-8, we still get a valid kerberos ticket, but getting the 
AFS-Token fails. It -is- possible, however, to get a valid AFS-Token 
by klog.krb5. So -in principle- everything is in place to have this 
done by pam_afs.
  The problem is: I have no way to determine why it is complaining 
about "no supported encryption types" when other tools have no 
problems at all!


The answer to this is simple.  The krb5 libraries included in rhel7 
support DES encryption types.   The krb5 libraries included with rhel8 
do not.   As a result, a pam_krb5 that supports rxkad-kdf is required.




  Additional infO. Yes, we did rekey our AFS-cell quite a while ago, 
and our afs-Principal has two keys:


kadmin.local:  getprinc afs/rrz.uni-koeln.de
Principal: afs/rrz.uni-koeln...@rrz.uni-koeln.de

Anzahl der Schlüssel: 2
Key: vno 5, aes256-cts-hmac-sha1-96
Key: vno 4, des-cbc-crc
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]

I hope the vno 4 des-cbc-crc key is not present on any of the 
rrz.uni-koeln.de servers.   If it is, the servers are still vulnerable to


  OPENAFS-SA-2013-003 - Brute force DES attack permits compromise of 
AFS cell

  http://www.openafs.org/pages/security/#OPENAFS-SA-2013-003


Like I said before, I looked at the sources of our version of 
pam_krb5, and the part where it is failing starts at line 775 inside 
the function "minikafs_5log_with_principal" (I'll attach the 
minikafs.c to this mail for reference)


This version of minikafs.c does not support rxkad-kdf.



  If you or anyone else has any ideas how to tackle the problem, any 
help would be greatly appreciated.


Deploy a version of pam_krb5 which contains the required rxkad-kdf 
functionality.   

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems (fwd)

[Stephan Wonczak]

  (resend without attachment - original Mail did not make it to the 
list!)


   Hi Jeffrey,
   Thanks for having a look at the problem.
   However, I obviously did not do a very good job detailing exactly what 
we did ... so here's my next try. Warning: It is going to be lengthy :-)


  First off: We do not use SSSD. And we would like to keep it that way, since 
it caused various massive problems in the past.


  On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM 
of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
 Looking at the debug-output of the module, this is what the relevant part 
looks like:


Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_unix(sshd:session): 
session opened for user  by (uid=0)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
default/local realm 'RRZ.UNI-KOELN.DE'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: configured 
realm 'RRZ.UNI-KOELN.DE'

Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: debug
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: don't 
always_allow_localname
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no 
ignore_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no 
null_afs
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no 
cred_session
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no 
ignore_k5login
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
user_check
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will try 
previously set password first
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will ask 
for a password if that fails
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will let 
libkrb5 ask questions
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
use_shmem
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
external
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no 
multiple_ccaches
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: 
validate

Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: warn
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banner: 
Kerberos 5
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache dir: 
/tmp
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname 
template: FILE:%d/krb5cc_%U_XX
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keytab: 
FILE:/etc/krb5.keytab
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token 
strategy: 2b
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: removing 
shared memory segment 3 creator pid 3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: cleanup 
function removing shared memory segment 3 belonging to process 3197
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining 
afs tokens
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creating 
new PAG
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining 
tokens for local cell 'rrz.uni-koeln.de'
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying with 
ticket (2b)
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting 
to determine realm for "rrz.uni-koeln.de"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 
for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 
for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 
for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 
for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server 
134.95.67.97 has name afs.thp.uni-koeln.de
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: 
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting 
to obtain tokens for "rrz.uni-koeln.de" 
("afs/rrz.uni-koeln...@rrz.uni-koeln.de")
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got tokens 
for cell "rrz.uni-koeln.de"
Jul  8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no 
additional afs cells configured



  We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a rebuild 
on a RHEL-8-Machine. This worked without any errors.

   However, when we try to use this to get a token, this happens:

Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_unix(sshd:session): session opened 

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Carson Gaspar]

On 7/8/2022 6:57 AM, Jeffrey E Altman wrote:
Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong 
thing since its going to step on the toes of sssd's Kerberos ticket 
processing.


Only if you let sssd touch Kerberos. There are any number of reasons not 
to let it do so (no clue if the KRB5 and LDAP problems are fixed in 
later versions, but the EL8 code was written by crazed weasels on 
crack). But I'd use Russ' pam_krb5 instead of one from EL7 
(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which 
would probably require you use pam_afs_session as suggested (unless I'm 
missing something in the docs, which is very possible).


--

Carson


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dirk Heinrichs]

Jeffrey E Altman:

> Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later).

Ah, OK. As a non-RH user, I wasn't aware they threw it out. Thanks for
clarifying.

> The replacement is sssd which supports Kerberos ticket acquisition but
> not AFS token acquisition. The recommendation for acquiring AFS tokens
> on sssd enabled systems is to use pam_afs_session

Yep, that's what I also do on my sssd-enabled (because of AD) Debian
systems.

Bye...

    Dirk

-- 
Dirk Heinrichs 
Matrix-Adresse: @heini:chat.altum.de
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
Privacy Handbuch: https://www.privacy-handbuch.de



OpenPGP_signature
Description: OpenPGP digital signature

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dirk Heinrichs]

Stephan Wonczak:

> Any advice would be greatly appreciated!

As Benjamin wrote: Try pam_afs_session. Should be added to the "auth"
and "session" blocks of your PAM setup.

https://packages.debian.org/bullseye/libpam-afs-session
https://www.eyrie.org/~eagle/software/pam-afs-session

HTH...

    Dirk

-- 
Dirk Heinrichs 
Matrix-Adresse: @heini:chat.altum.de
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
Privacy Handbuch: https://www.privacy-handbuch.de



OpenPGP_signature
Description: OpenPGP digital signature

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Jeffrey E Altman]

Sounds like the version of pam_krb5 you are attempting to build does not 
include support for rxkad-kdf.


https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html

The version of pam_krb5 that supports rxkad-kdf contains a 
minikafs_kd_derive() function at minikafs.c line 775.


See https://github.com/frozencemetery/pam_krb5.

As mentioned in my prior reply pam_krb5 should not be used in 
conjunction with sssd.


Jeffrey Altman

On 7/8/2022 8:35 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote:

Hi everyone!
  (Berthold's colleague here)

  We dug a little deeper and found the part in the pam_krb5-sources 
where it fails. It is in the file "minikafs.c" starting in line 775. 
It looks like the call to krb5_get_credentials() gets a non-zero 
return value, thus making it bail out.
  The problem is that we (well, at least me!) have no idea which 
enctype is expected, and which enctypes are actually tried. Debug 
output is not too helpful here. Any ideas on how to get useful 
information?
  (I should mention I am waaay out of depth here with my knowledge of 
Kerberos, and my C-fu is severely lacking, too ;-) )


  To be absolutley clear: We can ssh-login to the machine running this 
pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after 
login, thus no access to AFS. If I do "klog.krb5", I -do- get an 
AFS-Token without any issues, and AFS-access starts working as it should.
  It's maddening that only pam_krb5 complains, while other tools work 
out of the box.


  Any advice would be greatly appreciated!

  Stephan

On Fri, 8 Jul 2022, Berthold Cogel wrote:


Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:

 Benjamin Kaduk:


 Are you aware of pam_afs_session
 (https://github.com/rra/pam-afs-session)? Without knowing more about
 what you're using pam_krb5 for it's hard to make specific suggestions
 about what alternatives might exist.


 BTW: pam_krb5 != pam_krb5. There are two different modules with the 
same

 name out there. The one shipped with RedHat family distributions comes
 with integrated AFS support, while the one shipped with Debian family
 distributions doesn't. That's the reason why Debian also ships
 pam_afs_session and RH does not.

 Bye...

      Dirk



We're using the pam_krb5 shipped with Red Hat.

I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it 
seems to work for some value of working


Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3

We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal 
to get connections from newer Ubuntu/Debian and Fedora 35 working.


We get a krb5 ticket and a login, but getting the AFS token gives 
errors:


"error obtaining credentials for 
'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of 
: No credentials found with supported encryption types"


Same for two other enctypes.

So something else changed in RHEL 8, which we haven't found yet.


Regards
Berthold
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info



Dipl. Chem. Dr. Stephan Wonczak

    Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
    Universitaet zu Koeln, Weyertal 121, 50931 Koeln
    Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625

smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Jeffrey E Altman]

On 7/7/2022 1:04 PM, Dirk Heinrichs (dirk.heinri...@altum.de) wrote:

Benjamin Kaduk:


Are you aware of pam_afs_session
(https://github.com/rra/pam-afs-session)? Without knowing more about
what you're using pam_krb5 for it's hard to make specific suggestions
about what alternatives might exist.

BTW: pam_krb5 != pam_krb5. There are two different modules with the same
name out there. The one shipped with RedHat family distributions comes
with integrated AFS support, while the one shipped with Debian family
distributions doesn't. That's the reason why Debian also ships
pam_afs_session and RH does not.

Bye...

     Dirk


Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later).   
The replacement is sssd which supports Kerberos ticket acquisition but 
not AFS token acquisition.   The recommendation for acquiring AFS tokens 
on sssd enabled systems is to use pam_afs_session


  https://github.com/SSSD/sssd/issues/1505 "Support/Cache OpenAFS 
Authentication"


Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong 
thing since its going to step on the toes of sssd's Kerberos ticket 
processing.


pam-afs-session is the correct tool to use on RHEL8 and later. The 
pam-afs-session bundled with AuriStorFS clients is known to acquire 
tokens in conjunction with sssd.   The primary differences between 
AuriStorFS pam_afs_session and Russ' are code quality improvements and 
use of external aklog and unlog instead of built-ins.


Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Stephan Wonczak]

  Hi everyone!
  (Berthold's colleague here)

  We dug a little deeper and found the part in the pam_krb5-sources where 
it fails. It is in the file "minikafs.c" starting in line 775. It looks 
like the call to krb5_get_credentials() gets a non-zero return value, thus 
making it bail out.
  The problem is that we (well, at least me!) have no idea which enctype 
is expected, and which enctypes are actually tried. Debug output is not 
too helpful here. Any ideas on how to get useful information?
  (I should mention I am waaay out of depth here with my knowledge of 
Kerberos, and my C-fu is severely lacking, too ;-) )


  To be absolutley clear: We can ssh-login to the machine running this 
pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login, 
thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token 
without any issues, and AFS-access starts working as it should.
  It's maddening that only pam_krb5 complains, while other tools work 
out of the box.


  Any advice would be greatly appreciated!

  Stephan

On Fri, 8 Jul 2022, Berthold Cogel wrote:


Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:

 Benjamin Kaduk:


 Are you aware of pam_afs_session
 (https://github.com/rra/pam-afs-session)? Without knowing more about
 what you're using pam_krb5 for it's hard to make specific suggestions
 about what alternatives might exist.


 BTW: pam_krb5 != pam_krb5. There are two different modules with the same
 name out there. The one shipped with RedHat family distributions comes
 with integrated AFS support, while the one shipped with Debian family
 distributions doesn't. That's the reason why Debian also ships
 pam_afs_session and RH does not.

 Bye...

      Dirk



We're using the pam_krb5 shipped with Red Hat.

I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to 
work for some value of working


Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3

We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get 
connections from newer Ubuntu/Debian and Fedora 35 working.


We get a krb5 ticket and a login, but getting the AFS token gives errors:

"error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' 
(enctype=1) on behalf of : No credentials found with supported encryption 
types"


Same for two other enctypes.

So something else changed in RHEL 8, which we haven't found yet.


Regards
Berthold
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info



Dipl. Chem. Dr. Stephan Wonczak

Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Berthold Cogel]

Am 08.07.22 um 11:24 schrieb Berthold Cogel:

We're using the pam_krb5 shipped with Red Hat.

I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it 
seems to work for some value of working


Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3

We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to 
get connections from newer Ubuntu/Debian and Fedora 35 working.


We get a krb5 ticket and a login, but getting the AFS token gives errors:

"error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' 
(enctype=1) on behalf of : No credentials found with supported 
encryption types"


Same for two other enctypes.

So something else changed in RHEL 8, which we haven't found yet.




I forgot to add, that klog.krb5 is getting a token after login...
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Berthold Cogel]

Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:

Benjamin Kaduk:


Are you aware of pam_afs_session
(https://github.com/rra/pam-afs-session)? Without knowing more about
what you're using pam_krb5 for it's hard to make specific suggestions
about what alternatives might exist.


BTW: pam_krb5 != pam_krb5. There are two different modules with the same
name out there. The one shipped with RedHat family distributions comes
with integrated AFS support, while the one shipped with Debian family
distributions doesn't. That's the reason why Debian also ships
pam_afs_session and RH does not.

Bye...

     Dirk



We're using the pam_krb5 shipped with Red Hat.

I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it 
seems to work for some value of working


Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3

We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to 
get connections from newer Ubuntu/Debian and Fedora 35 working.


We get a krb5 ticket and a login, but getting the AFS token gives errors:

"error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' 
(enctype=1) on behalf of : No credentials found with supported 
encryption types"


Same for two other enctypes.

So something else changed in RHEL 8, which we haven't found yet.


Regards
Berthold
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Dirk Heinrichs]

Benjamin Kaduk:

> Are you aware of pam_afs_session
> (https://github.com/rra/pam-afs-session)? Without knowing more about
> what you're using pam_krb5 for it's hard to make specific suggestions
> about what alternatives might exist.

BTW: pam_krb5 != pam_krb5. There are two different modules with the same
name out there. The one shipped with RedHat family distributions comes
with integrated AFS support, while the one shipped with Debian family
distributions doesn't. That's the reason why Debian also ships
pam_afs_session and RH does not.

Bye...

    Dirk

-- 
Dirk Heinrichs 
Matrix-Adresse: @heini:chat.altum.de
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
Privacy Handbuch: https://www.privacy-handbuch.de



OpenPGP_signature
Description: OpenPGP digital signature

Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Benjamin Kaduk]

On Wed, Jun 29, 2022 at 04:02:17PM +0200, Berthold Cogel wrote:
> Hello,
> 
> we're trying to prepare our environment for the migration to RHEL 8.
> 
> At the moment, with RHEL 7 we still have our user homes in AFS and use 
> pam_krb5 to get a token at login. In the long term we will migrate our 
> homes to NFS4 (by administrative order...), but at the moment we're not 
> ready to walk this way.
> 
> The problem is, that Red Hat is forcing the usage of sssd and has 
> deprecated pam_krb5. But sssd doesn't support the AFS features of 
> pam_krb5. And for some reasons related to past experience we're not very 
> fond of using sssd and we're looking for alternatives. But on the other 
> hand, we don't have the resources to provide our own pam_krb5 package.
> 
> So any enlightenment on how to handle this problem will be appreciated.

Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)?
Without knowing more about what you're using pam_krb5 for it's hard to make
specific suggestions about what alternatives might exist.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info