Rehi, replying to my own mail since I came accross this link:
http://www.mail-archive.com/[email protected]/msg12283.html The relevant excerpt from the mail: === If you're doing GSSAPI authentication to sshd, this is normal, since sshd does ticket cache setup itself in that case and pam_krb5 doesn't need to do anything. === So, the question is: can pam_afs_session.so (or aklog invoked by pam_afs_session.so) use the ticket cache of sshd and how? Thanks in advance & kind regards, Holger On Thu, 10 Dec 2009, Holger Rauch wrote: > Hi to everybody, > > The problem I got is that interactive kinit/aklog combos work > perfectly, but when I try to log in remotely via ssh, the passwordless > login itself works, but a cd to my home dir doesn't occur because > pam_afs_session.so is either not considered or doesn't call aklog. The > exact error messages read as follows: > > Could not chdir to home directory /export/home/people/hrauch: Permission > denied > -bash: /export/home/people/hrauch/.bash_profile: Permission denied > > As it is now, I have to manully invoke kinit && aklog in order to be > able to successfully cd to my home dir. That's exactly what I wanted > to avoid. > > I googled but found only the hint that one needs to include > pam_afs_session.so in the PAM session config, which I did. > > The above implies that LDAP setup (used for POSIX account info) > and MIT Kerberos setup (for password maintenance) are configured correctly. > SSH is setup to forward Kerberos tickets by using these options in > /etc/ssh/ssh_config on the client: > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > This happens on a Debian Lenny system with openafs packages installed > from backports.org in order to circumvent some kind of memory > allocation error preventing the openafs kernel module from being loaded. > > Here's the list of installed openafs packages obtained via dpkg -l: > > === > > ii libpam-afs-session 1.7-1 PAM module > to set up a PAG and obtain AFS tokens > ii openafs-client 1.4.11+dfsg-5~bpo50+1 AFS > distributed filesystem client support > ii openafs-krb5 1.4.11+dfsg-5~bpo50+1 AFS > distributed filesystem Kerberos 5 integration > ii openafs-modules-dkms 1.4.11+dfsg-5~bpo50+1 AFS > distributed filesystem kernel module DKMS source > ii openafs-modules-source 1.4.11+dfsg-5~bpo50+1 AFS > distributed filesystem kernel module source > > === > > My PAM config (I have a few "fallback" system accounts too, that's why > pam_unix.so is mentioned): > > - /etc/pam.d/common-account > > === > > account sufficient pam_unix.so > account required pam_ldap.so minimum_uid=10000 debug > account required pam_krb5.so minimum_uid=10000 ignore_root debug > > === > > - /etc/pam.d/common-auth > > === > > auth sufficient pam_unix.so nullok_secure > auth sufficient pam_krb5.so use_first_pass minimum_uid=10000 > ignore_root debug > auth optional pam_afs_session.so program=/usr/bin/aklog > auth required pam_deny.so > > === > > - /etc/pam.d/common-password > > === > > password sufficient pam_unix.so nullok obscure md5 > password required pam_krb5.so use_first_pass minimum_uid=10000 > ignore_root debug > > === > > - /etc/pam.d/common-session (I verified the path to aklog) > > === > > session required pam_limits.so > session required pam_unix.so > session optional pam_krb5.so minimum_uid=10000 ignore_root debug > session optional pam_afs_session.so program=/usr/bin/aklog debug > > === > > Anything wrong with my PAM config? > > /var/log/auth.log tells me: > > === > > Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get > PAM_KRB5CCNAME, assuming non-Kerberos login > Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred: > exit (failure) > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): > pam_sm_open_session: entry (0x0) > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens, > no Kerberos ticket cache > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): > pam_sm_open_session: exit (success) > > === > > Now, the obvious question is: How can I tell sshd or pam_krb5.so about > the ticket cache file? > > Thanks in advance for any help! > > Kind regards, > > Holger > -- ========================================= Holger Rauch Entwicklung Anwendungs-Software Systemadministration UNIX Tel.: +49 / 9131 / 877 - 141 Fax: +49 / 9131 / 877 - 266 Email: [email protected] =========================================
signature.asc
Description: Digital signature
