Sorry, paste the contents of /etc/pam.d/sshd auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Eric On Sat, Jun 11, 2011 at 9:35 PM, Lee Eric <[email protected]> wrote: > Thanks mate. Here's the /etc/pam.d/sshd file contents, could you tell > me which part I can add pam_afs_session module? > > Thanks very much. > > Eric > > On Sat, Jun 11, 2011 at 9:05 PM, Jason Edgecombe > <[email protected]> wrote: >> On 06/11/2011 08:31 AM, Lee Eric wrote: >>> >>> Hi, >>> >>> The systems are using Fedora 14 and the systems can log in each other >>> by using Kerberos. But it seems after OpenSSH login the client side >>> cannot get the OpenAFS token. So is there any way to let the client >>> side get the OpenAFS token after login? Just a guessing, could I use >>> pam_afs_session in /etc/pam.d/sshd to do this? >>> >>> >>> [root@client1 ~]# kinit huli >>> Password for [email protected]: >>> [root@client1 ~]# ssh [email protected] >>> Last login: Sat Jun 11 08:30:24 2011 from client1.herdingcat.internal >>> Could not chdir to home directory /afs/herdingcat.internal/home/huli: >>> Permission denied >>> -bash: /afs/herdingcat.internal/home/huli/.bash_profile: Permission denied >>> -bash-4.1$ >> >> yes, pam_afs_session can do that. >> >> In addition, for single sign-on to work, the remote machine must have a host >> keytab installed and put the following in your local ssh config >> (/etc/ssh/ssh_config or ~/.ssh/config): >> >> GSSAPIAuthentication yes >> GSSAPIDelegateCredentials yes >> >> Jason >> > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
