After all that, I now have an AFS question. I'm not sure whether I should ask the question here or on the OpenAFS list, as it seems at least to me that it's a Kerberos ticket forwarding problem.
I have PAM and OpenAFS working (/etc/pam.d/common-auth excerpt): auth [success=ok default=1] pam_krb5.so forwardable auth [default=done] pam_openafs_session.so debug my sshd_config: # To change Kerberos options #KerberosAuthentication no KerberosAuthentication yes #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no KerberosTicketCleanup yes # Kerberos TGT Passing does only work with the AFS kaserver KerberosTgtPassing yes #GSSAPI authentication GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIUseSessionCredCache yes The first time I log into the machine from an unkerberized SSH client, it asks for a password. I supply it and am then presented the kerberos tickets as well as an AFS ticket. So far so good: [EMAIL PROTECTED]'s password: Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686 GNU/Linux The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Fri Oct 29 18:26:27 2004 from monitor2.dev.in.athenacr.com [EMAIL PROTECTED]:~$ klist Ticket cache: FILE:/tmp/krb5cc_iCScnU Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 10/29/04 18:33:39 10/30/04 04:33:39 host/[EMAIL PROTECTED] 10/29/04 18:33:39 10/30/04 04:33:39 krbtgt/[EMAIL PROTECTED] 10/29/04 18:33:39 10/30/04 04:33:39 afs/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached [EMAIL PROTECTED]:~$ tokens Tokens held by the Cache Manager: User's (AFS ID 1000) tokens for [EMAIL PROTECTED] [Expires Oct 30 04:33] --End of list-- Then, from jack (which has a kerberized ssh installation), I try to ssh into itself: [EMAIL PROTECTED]:~$ ssh -K jack Linux jack 2.4.27-acr-afs64 #1 SMP Wed Oct 27 14:40:19 EDT 2004 i686 GNU/Linux The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Fri Oct 29 18:33:39 2004 from milhouse.dev.in.athenacr.com -bash: /home/wchow/.bash_login: Permission denied The "Permission denied" error is a symptom of not having AFS tickets since the home directory is mounted on AFS: [EMAIL PROTECTED]:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000_gFY789 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 10/29/04 18:33:48 10/30/04 04:33:39 krbtgt/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached [EMAIL PROTECTED]:~$ tokens Tokens held by the Cache Manager: --End of list-- The Kerberos tickets were forwarded correctly, but the AFS ticket was not. Is this a problem with my ssh-krb5 installation, or should I be asking the OpenAFS list about this? Looking at my /var/log/auth.log output, it looks as if the "ssh -K jack" command skips pam completely: Oct 29 18:33:48 jack sshd[787]: (pam_unix) session opened for user wchow by (uid =0) Oct 29 18:33:48 jack sshd[787]: Accepted gssapi for wchow from 192.168.0.6 port 32771 ssh2 Why is it that AFS tickets aren't being forwarded? Thanks, Wes -- http://www.woahnelly.net/~wes/ OpenPGP key = 0xA5CA6644 fingerprint = FDE5 21D8 9D8B 386F 128F DF52 3F52 D582 A5CA 6644 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
