See https://lists.openafs.org/pipermail/openafs-info/2005-May/017905.html
This shows how to use PAM with ssh. It also works on Solaris 10.
Alexander Bergolth wrote:
Hi!
I'm using GSSAPI credential-delegation to forward my kerberos 5
tgt-ticket when initiating an openssh session.
GSSAPI-authentication and ticket forwarding works file but now I'm
looking for a way to obtain an AFS-token from the TGT to be able to
enter my home-directory which resides in AFS. I don't want to do that
using aklog in the shell-profile, I'd prefer something like a pam-module.
I've tried to use a pam-session entry containing the prm_krb5 module but
it looks like this module requires a pam-stash in the session stage,
that is initialized in the auth-stage. If GSSAPI-authentication is used,
the auth stage isn't used and therefore the session setup is skipped.
Sep 11 15:02:27 roaster sshd[5837]: pam_krb5[5837]: no v5 creds for user
'bergolth', skipping session setup
Is there a pam_module that obtains a token from an krb5 ticket in the
session stage without needing an auth stage?
Btw.: Maybe there is a second problem: I've straced the sshd
login-process and it looks like the KRB5CCNAME environment variable is
set (by another thread) _after_ the pam-session modules are executed.
(See the strace excerpt below.)
Any help would be greatly appreciated.
Cheers,
--leo
# egrep 'no v5|krb5cc|clone' /tmp/urxn.txt
open("/tmp/krb5cc_5020_WO5082", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600)
= 12
unlink("/tmp/krb5cc_5020_WO5082") = 0
open("/tmp/krb5cc_5020_WO5082",
O_RDWR|O_CREAT|O_TRUNC|O_EXCL|O_LARGEFILE, 0600) = 12
open("/tmp/krb5cc_5020_WO5082", O_RDWR|O_LARGEFILE) = 12
clone(Process 5083 attached
[pid 5083] send(10, "<39>Sep 11 13:28:30 sshd[5083]: pam_krb5[5083]: no
v5 creds for user \'bergolth\', skipping session setup", 103,
MSG_NOSIGNAL) = 103
[pid 5083] write(2, "debug1: Setting KRB5CCNAME to
FILE:/tmp/krb5cc_5020_WO5082\r\n", 60 <unfinished ...>
[pid 5082] <... read resumed> "debug1: Setting KRB5CCNAME to
FILE:/tmp/krb5cc_5020_WO5082\r\r\n", 16384) = 61
[pid 5083] write(2, " KRB5CCNAME=FILE:/tmp/krb5cc_5020_WO5082\n", 42
<unfinished ...>
[pid 5082] <... read resumed> "Environment:\r\n
KRB5CCNAME=FILE:/tmp/krb5cc_5020_WO5082\r\n USER=bergolth\r\n
LOGNAME=bergolth\r\n HOME=/afs/wu-wien.ac.at/home/edvz/bergolth\r\n
PATH=/usr/local/bin:/bin:/usr/bin\r\n MAIL=/var/mail/bergolth\r\n",
16384) = 204
[pid 5083] clone( <unfinished ...>
[pid 5083] <... clone resumed> child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7f9c708) = 5084
write(2, "debug1: removing gssapi cred
file\"/tmp/krb5cc_5020_WO5082\"\r\n", 60debug1: removing gssapi cred
file"/tmp/krb5cc_5020_WO5082"
unlink("/tmp/krb5cc_5020_WO5082") = 0
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
