Re: [OpenAFS-devel] Re: [OpenAFS] AFS / PAM / SSH / (w/o Kerberos)

Fri, 10 Dec 2004 14:56:45 -0800 



TOBx wrote:


Has anyone a good documentation of the pam_afs-Module? It seems to me, as
if
the parameters one can set for the module aren't making a difference?

[EC] Maybe you should try to compile SSH with PAM support. 


I did this. But it doesn't help.

In /etc/pam.d/sshd I added the option 'debug' to the pam_afs.so.2-module.
So I get nice info about what the pam-module does when I try to log in.
SSH tries to authenticate the user (with username and passwd) 2 (!) times.
While the first time it seems as if the auth is successful, the second try prints a message like "unable to get the passwd from pam". ;-(
(Unfortunately I#m currently not at work and so I'm unable to attache the log... but I can send it, if someone cares for the exact message.)


The problem is most likly that a token and PAG may be obtained, but under
the wrong process, because of the Priv Sep code.

After googling for quite a long time I found some information about an AFS support for SSH.
But as far as I know, there is a __little__ Problem with this. It's deprecated. ;-(

Was this the support  of the AFS-Token__passing__-feature?

However I just want to login via ssh from __any__ client and get a valid AFS (no stand-alone Kerberos stuff!) 

Not sure what you maen by "no stand-alone Kerberos stuff".

token created on the machine.
I can't believe that nobody else wants/has this feature already realized?! ;-) 

Most sites are or are header to using Kerberos V5 with AFS.
i.e. not using AFS for authentication at all.

We use OpenSSH in a nuber of ways, including the GSSAPI with
a delegated credential, and entering in a Krb5 user and password.
In both cases a Krb5 ticket cache is created, and we have PAM
use this to get an AFS token.



Maybe s.o helps me with this....

Greets
  Tobias

_______________________________________________
OpenAFS-devel mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-devel




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to