[EMAIL PROTECTED] wrote:
Well, I found out where the road leads...
Wound up using pam_krb5 only for kerberos. It will not work with a
GSSAPI passed TGT to just get a PAG. There's also an issue discussed
previously on this list about needing to turn off challenge-response in
openafs to make this work. Chaining after pam_krb5 in the session
section I put pam_afs2 which calls out to /usr/bin/afs5log (the
standalone aklog-ish piece of pam_krb5afs). Works both on initial login
and for SSO now. This will not work for anything which doesn't allow
passing PAM stashes from the auth function of pam_krb5 to the session
function of pam_krb5 (like OpenSSH's challenge-reponse auth). It is
only after pam_sm_open_session() in pam_krb5 that you have KRB5CCNAME
set and pointing to a valid TGT.
As you appear to be doing the pam_afs2 can be setup to be called after
the pam_krb5 session so it should be able to find the KRB5CCNAME. (It also
has a nopag option so if the pag is obtained early, it will not get a new pag.)
Does the pam_krb5 have a force_creds option? Some do. This could allow it to
store the ticket cache during the pam_sm_authenticate call rather then the
pam_sm_setcred call.
Other little details are that pam_krb5afs assumes the /afs/<cellname>
convention and that afs5log pukes on the -p <homedir> option that
pam_afs2 passes to it, so it doesn't work out of the box.
The OpenAFS aklog, the Heimdal afslog and the gssklog all accept the -p
option. I even see in aklog from as early 1994 support for the -p option.
The -p option is so the *log program can get a token for the cell
that contains the directory.
Never tried pam_afs2 with afs5log. Sounds like afs5log needs a -p option.
PAM sucks.
On Tue, 20 Sep 2005 [EMAIL PROTECTED] wrote:
Nevermind about #2. Naturally, as soon as I make a post it fixes
itself and openssh is setting that correctly.
I believe this confirms that pam_krb5afs ignores KRBCCNAME. Anyone
got a patch to make it use the TGT that SSH forwarded to get a ticket
for the cell and a pag?
On Tue, 20 Sep 2005 [EMAIL PROTECTED] wrote:
I'm trying to get TGT passing with the gssapi-with-mic auth method of
openssh to work with pam_krb5afs to get a token.
1. Does this even work in principle, or does the pam_sm_open_session
in pam_krb5afs rely on a stash created in the auth method of
pam_krb5afs? I had hoped that the session part of pam_krb5afs would
check for KRB5CCNAME (either via getenv() or pam_getenv()) and would
use that if it was set, but now I'm not so sure, but still uncertain
at this point of the way the code behaves.
2. KRB5CCNAME doesn't appear to be getting set by openssh-4.0p1
properly, even if pam_krb5afs can use it. I've verified that
gssapi-with-mic and TGT passing works correctly, but
getenv("KRB5CCNAME") and pam_getenv(pamh, "KRB5CCNAME") from
pam_sm_open_session in pam_krb5afs return NULL.
I'm using pam_krb5 2.1.8-2, openafs-1.3.87, krb5-1.3.5 and
openssh-4.0p1.
Has anyone else been down this road before and know where it leads?
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
