Has a bug report on this particular issue been filed with redhat? On Mon, Sep 03, 2007 at 10:40:09AM -0700, Russ Allbery wrote: > Robert Sturrock <[EMAIL PROTECTED]> writes: > > > I have a question about pam-afs-session, although my problem may actually > > be more related to Openssh and Kerberos. > > > I installed pam-afs-session on RHEL4 and (after some PAM tinkering) it > > seems to work fine, provided I use pam to do the authentication rather > > than openssh. This means typing my password even though I've already > > got a ticket on my workstation. > > > However, I would ideally like to let openssh do the authentication > > (ie. set "GSSAPIAuthentication yes" in /etc/ssh/sshd_config). The > > client can forward Kerberos credentials and (hopefully) > > pam-afs-session can turn that into a token. Is such a setup possible? > > Yes, I use it all the time on Debian. > > However, if I remmeber correctly, RHEL 4 ships a broken sshd that runs the > PAM session hooks and *then* saves the ticket cache. This is obviously > broken and has been fixed in later versions of sshd, but I don't believe > Red Hat has fixed it in an update. pam-afs-session can't do anything > about this; at the time that it's called, no ticket cache is available > because sshd hasn't written it out yet. > > If this is the problem that I remember, there isn't any real solution > other than replacing sshd with a fixed version, but you can work around it > by adding a call to aklog to the system shell initialization files. The > user's PAG is created correctly; the only problem is that aklog is never > run. > > > I've also seen a newer version of pam_krb5 (2.2.x) which supports flags > > "useshmem" and "external" that look helpful, but I was hoping not to > > need this as I'm trying to stick as much as possible with the vendor > > supplied packages (RHEL4 has pam_krb5-2.1.8-1). > > Won't help for this case, since sshd will still hold on to the ticket > cache for too long and PAM won't see it. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info >
-- ******************************** David William Botsch Programmer/Analyst CNF Computing [EMAIL PROTECTED] ******************************** _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
