El Barto wrote:
On Mon, 19 Feb 2007 10:14:56 -0600
"Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
Your test looks strange, as the same ticket cache (based on on your
uid I assume) is being used in both the kinit and the ssh examples and the
tickets have the same time. This would indicate the SSH did not
gt you a kerberos ticket, of if it did it stored it in some
other cache, and did not set the KRB5CCNAME.
You may want to check your sshd_config, and your PAM configurations.
The PAM_*afs*routines should only get a token if the ssh got
a kerberos ticket.
First of all, do you really want to use passwords with sshd at all if
you already have KRB5? If you have tickets on the client machine
that runs ssh, then you want to use GSSAPI, which will use Kerberos
as intended, i.e. no passwords over the network. You should try
and get to this type of configuration if possible.
That said, looking at you configuration you want to use passwords
for sshd. Sshd can use Kerberos with passwords in two ways,
via internal Kerberos calls, or via PAM. I would recommend using
the PAM. This requires the use of the
ChallengeResponseAuthentication yes
You have it set to no, so (i believe )the pam_krb5 will not be called.
You might want to test this with a seperate/etc/pam.d/ssh
file rather then the common-auth auth file. common-auth is used
by most other commands, and you want to make sure su or sudo still work :-)
The most weird thing is it do the same on a physical login. Anyway
here is my ssh config and pam config :
sshd_config :
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
I changed two pam config files, common-auth and common-sesssion :
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass forwardable debug
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
session optional pam_krb5.so debug
session optional pam_openafs_session.so
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
