Re: [OpenAFS] Receiving openafs token per Kerberos 5

Wed, 20 Feb 2008 08:32:25 -0800 


On Feb 20, 2008, at 5:19pm, [EMAIL PROTECTED] wrote:


Hi at all!
I am trying to use single sign on openssh with kerberos. The authentication part is already working. Now I have the problem of receiving a token after the login. As far as I understand this is the job of pam_afs_session.so. So here is my system-auth which is included in /etc/pam.d/ssh 

auth    required    pam_env.so
auth    [success=ok default=1] pam_krb5.so try_first_pass
auth    [default=done] pam_afs_session.so


I just use the following for my common authentication:

auth    sufficient      pam_unix.so nullok_secure nodelay
auth    sufficient      pam_krb5.so use_first_pass forwardable
auth    required        pam_deny.so

And for session, I use:

session required        pam_unix.so
session optional        pam_krb5.so
session optional        pam_openafs_session.so



auth    sufficient  pam_unix.so likeauth nullok try_first_pass
auth    sufficient  pam_ldap.so use_first_pass
auth    required  pam_deny.so

account    sufficient   pam_krb5.so
account    sufficient   pam_ldap.so
account    sufficient   pam_localuser.so
account    required   pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password   sufficient   pam_krb5.so
password   sufficient   pam_unix.so nullok use_authtok shadow md5
password   required     pam_deny.so

session  optional  pam_krb5.so
session  sufficient pam_afs_session.so
session  optional pam_ldap.so
session  sufficient pam_unix.so

But pam_afs_session.so is posting following error:

sshd[22617]: (pam_afs_session): no token program set in PAM arguments
This error message is comming twice. I would say for auth and session. I am really out of ideas especially because everything is working fine with a local login. I can't see the difference to the ssh login because the auth part with krb is working AND I do have the krb token after login. A simple aklog is enough to receive the token and I can acces my home directory ...
You first have to get a kerberos ticket (auth stanza) and next start a session getting a token (session stanza). My configuration works with SSH with SSO on my computers (no password or account stanzas mentioning kerberos or afs, I don't need them now). 

I hope it helps!

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to