On Sep 3, 2007, at 10:40 AM, Russ Allbery wrote:
Robert Sturrock <[EMAIL PROTECTED]> writes:
I have a question about pam-afs-session, although my problem may
actually be more related to Openssh and Kerberos.
I installed pam-afs-session on RHEL4 and (after some PAM
tinkering) it seems to work fine, provided I use pam to do the
authentication rather than openssh. This means typing my password
even though I've already got a ticket on my workstation.
However, I would ideally like to let openssh do the authentication
(ie. set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config).
The client can forward Kerberos credentials and (hopefully) pam-
afs-session can turn that into a token. Is such a setup possible?
Yes, I use it all the time on Debian.
However, if I remmeber correctly, RHEL 4 ships a broken sshd that
runs the PAM session hooks and *then* saves the ticket cache. This
is obviously broken and has been fixed in later versions of sshd,
but I don't believe Red Hat has fixed it in an update. pam-afs-
session can't do anything about this; at the time that it's called,
no ticket cache is available because sshd hasn't written it out yet.
That's correct. I believe this bug was fixed for OpenSSH 4.0+.
RHEL4 ships a patched OpenSSH 3.9p1, but does not include the fix for
this bug.
I put a call to aklog in .bash_profile on all my RHEL boxes, as Russ
suggests, though that's obviously a less than ideal arrangement.
--
Ian Ward Comfort <[EMAIL PROTECTED]>
System Administrator, Student Computing, Stanford University
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
