Well, I found out where the road leads...
Wound up using pam_krb5 only for kerberos. It will not work with a GSSAPI
passed TGT to just get a PAG. There's also an issue discussed previously
on this list about needing to turn off challenge-response in openafs to
make this work. Chaining after pam_krb5 in the session section I put
pam_afs2 which calls out to /usr/bin/afs5log (the standalone aklog-ish
piece of pam_krb5afs). Works both on initial login and for SSO now.
This will not work for anything which doesn't allow passing PAM stashes
from the auth function of pam_krb5 to the session function of pam_krb5
(like OpenSSH's challenge-reponse auth). It is only after
pam_sm_open_session() in pam_krb5 that you have KRB5CCNAME set and
pointing to a valid TGT.
Other little details are that pam_krb5afs assumes the /afs/<cellname>
convention and that afs5log pukes on the -p <homedir> option that
pam_afs2 passes to it, so it doesn't work out of the box.
PAM sucks.
On Tue, 20 Sep 2005 [EMAIL PROTECTED] wrote:
Nevermind about #2. Naturally, as soon as I make a post it fixes itself and
openssh is setting that correctly.
I believe this confirms that pam_krb5afs ignores KRBCCNAME. Anyone got a
patch to make it use the TGT that SSH forwarded to get a ticket for the cell
and a pag?
On Tue, 20 Sep 2005 [EMAIL PROTECTED] wrote:
I'm trying to get TGT passing with the gssapi-with-mic auth method of
openssh to work with pam_krb5afs to get a token.
1. Does this even work in principle, or does the pam_sm_open_session in
pam_krb5afs rely on a stash created in the auth method of pam_krb5afs? I
had hoped that the session part of pam_krb5afs would check for KRB5CCNAME
(either via getenv() or pam_getenv()) and would use that if it was set,
but now I'm not so sure, but still uncertain at this point of the way the
code behaves.
2. KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1 properly,
even if pam_krb5afs can use it. I've verified that gssapi-with-mic and
TGT passing works correctly, but getenv("KRB5CCNAME") and pam_getenv(pamh,
"KRB5CCNAME") from pam_sm_open_session in pam_krb5afs return NULL.
I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and openssh-4.0p1.
Has anyone else been down this road before and know where it leads?
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
