Garance A Drosihn wrote:
At 2:17 PM -0500 9/12/05, Douglas E. Engert wrote:
See
https://lists.openafs.org/pipermail/openafs-info/2005-May/017905.html
This shows how to use PAM with ssh. It also works on Solaris 10.
It happens that I'm in the middle of trying to compile the latest
openssh on some solaris 8 boxes. We have an older version of openSSH
compiled (with a few kludges) and working, but I wanted to get our
OpenSSH world on better footing. These machines are also still
running an older version of OpenAFS (1.2.11). I did at least build
the latest versions of OpenSSL and Heimdal.
What I've put together so far is *almost* working. I can ssh into
the box, and it will ask for and correctly check my password.
Is this your Kerberos password? The above referenced packages
assume you are loging in with a Kerberos password, either via
the built in Kerberos support in sshd or via a pam_krb5 called by
sshd or have authenticted with GSSAPI.
It is assuming the use of Kerberos v5.
But
it logs me in without any AFS credentials. If I then do a 'kinit',
I end up with both kerberos and AFS credentials. I'm about 98% sure
the problem is that I'm still using the PAM module from our previous
setup. Not much of a surprise there...
Looking at the above URL, I am not sure that it will help me. Would
this depend on a newer version of OpenAFS?
There where some bug reports on order of handling of the KRB5CCNAME and
calling PAM session, that where fixed on 4.1. I have the patch for 3.9
if you need it.
Does it depend on Solaris 10 (instead of 8)?
No, we are using OpenSSH-4.1p1 on Solaris 8. We are using on Solaris 10
the Solaris Kerberos and ssh.
In your message from May, you said you were still
working on the pam.conf changes for Solaris 10. Do you have that
done at this point?
Yes, see attachment. The pam.conf.sun4x_57 is for 57 and 58 using the
MIT kerberos.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
krlogin auth required /krb5/lib/pam_afs2.so.1
#krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
krsh auth required /krb5/lib/pam_afs2.so.1
#krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
#DEE leave unmodified till the pam.conf and pam_afs2 are stable
#DEE leaves us a way on to machine
# But this allows password login
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# DEE from pam_krb5_man pages:
#DEE smartcard failed, so skip it for now
#dtlogin auth requisite pam_smartcard.so.1
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_cred.so.1
dtlogin auth required pam_krb5.so.1
dtlogin auth required /krb5/lib/pam_afs2.so.1
# allows password login
dtlogin auth optional pam_unix_auth.so.1
#
# dtsession - lock/unlock screen, refresh creds and AFS token
#
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth optional pam_krb5.so.1
dtsession auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
dtsession auth optional pam_unix_auth.so.1
#
# xlock
#
xlock auth requisite pam_authtok_get.so.1
xlock auth required pam_dhkeys.so.1
xlock auth optional pam_krb5.so.1
xlock auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
xlock auth optional pam_unix_auth.so.1
#
# xscreensaver used by gnome or CDE
#
xscreensaver auth requisite pam_authtok_get.so.1
xscreensaver auth required pam_dhkeys.so.1
xscreensaver auth optional pam_krb5.so.1
xscreensaver auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
xscreensaver auth optional pam_unix_auth.so.1
#
#
# sshd - keyboard interactive uses all PAM exits, but
# PAM session is called when GSSAPI delegation or
# Kerberos password used, so get AFS token in all three cases.
# We want a session type cache, so with ANL PAM
# pass in ccache= to account routine
# RedHat PAM uses session caches already
#
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth required pam_krb5.so.1
# allows login with local password
sshd-kbdint auth optional pam_unix_auth.so.1
sshd-kdbint account requisite pam_roles.so.1
sshd-kdbint account required pam_unix_account.so.1
sshd-kdbint account required /krb5/lib/pam_krb5_ccache.so.1
ccache=/tmp/krb5cc_pw_%u_%p
sshd-kdbint session required pam_unix_session.so.1
sshd-kdbint session required /krb5/lib/pam_afs2.so.1
# Used by GSS, but ssh has bug about saving creds, so we use session based
creds.
sshd-gssapi account requisite pam_roles.so.1
sshd-gssapi account required pam_unix_account.so.1
sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1
ccache=/tmp/krb5cc_%u_%p
sshd-gssapi session required pam_unix_session.so.1
sshd-gssapi session required /krb5/lib/pam_afs2.so.1
sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 clean
#ident "@(#)pam.conf 1.19 95/11/30 SMI"
#
# PAM configuration
#
# With ANL mods to use with krb5-1.3.4 /krb5/lib/pam_krb5.so.1
# which will get an AFS token and PAG
#
# Authentication management
#
login auth sufficient /krb5/lib/pam_krb5.so.1 forwardable
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#login auth required /usr/lib/security/pam_dial_auth.so.1
#
#rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
#rlogin auth required /usr/lib/security/pam_unix.so.1
#
dtlogin auth sufficient /krb5/lib/pam_krb5.so.1 forwardable
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
#rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
#
dtsession auth sufficient /krb5/lib/pam_krb5.so.1 forwardable
dtsession auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
other auth required /usr/lib/security/pam_unix.so.1
#
# Account management
#
login account required /krb5/lib/pam_krb5.so.1
login account required /usr/lib/security/pam_unix.so.1
#
dtlogin account required /krb5/lib/pam_krb5.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
#
other account required /krb5/lib/pam_krb5.so.1
other account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
login session optional /krb5/lib/pam_krb5.so.1
login session required /usr/lib/security/pam_unix.so.1
#
dtlogin session optional /krb5/lib/pam_krb5.so.1
dtlogin session required /usr/lib/security/pam_unix.so.1
#
other session optional /krb5/lib/pam_krb5.so.1
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
login password optional /krb5/lib/pam_krb5.so.1
dtlogin password optional /krb5/lib/pam_krb5.so.1
other password required /usr/lib/security/pam_unix.so.1
#
#
# sshd - keyboard interactive uses all PAM exists, but
# privsep gets in the way. So use force.
# PAM session is called when GSSAPI delegation or
# Kerberos password used, so get AFS token in all three cases.
# We want a session type cache, so with ANL PAM
# pass in ccache=
# We need ccache= on HP as it does not have pam_putenv
# RedHat PAM uses session cache already
#
###sshd auth requisite pam_authtok_get.so.1
###sshd auth required pam_dhkeys.so.1
sshd auth sufficient /krb5/lib/pam_krb5.so.1 use_first_pass forwardable
force_creds
sshd auth required /usr/lib/security/pam_unix.so.1
#
sshd session required /usr/lib/security/pam_unix.so.1
sshd session required /krb5/lib/pam_afs2.so.1
