On Mon, 19 Feb 2007 10:14:56 -0600 "Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
> Your test looks strange, as the same ticket cache (based on on your > uid I assume) is being used in both the kinit and the ssh examples and the > tickets have the same time. This would indicate the SSH did not > gt you a kerberos ticket, of if it did it stored it in some > other cache, and did not set the KRB5CCNAME. > You may want to check your sshd_config, and your PAM configurations. > > The PAM_*afs*routines should only get a token if the ssh got > a kerberos ticket. > The most weird thing is it do the same on a physical login. Anyway here is my ssh config and pam config : sshd_config : # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options KerberosAuthentication yes #KerberosGetAFSToken yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes I changed two pam config files, common-auth and common-sesssion : # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass forwardable debug # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so session optional pam_krb5.so debug session optional pam_openafs_session.so -- Emmanuel Vadot System & Network Administrator [root & bocal] [EMAIL PROTECTED] 14-16 rue Voltaire 94270 Le Kremlin-Bicetre 01 44 08 01 91 06 83 14 62 92 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
