Troy Dawson wrote:
Wayne Betts wrote:
I inadvertently had sl-contrib enabled on an SL4.6 system and this
morning it updated openssh,
openssh-server, etc, getting them from sl-contrib. For instance:
openssh-server-3.9p1-22.SL.4.22.i386
According to the changelog, the changes appear to only include some
bug fixes compared to the
"stock" SL version (3.9p1-8). But upon logging in, it now tries
(unsuccessfully) to get an AFS
token with the aklog command, which I'd rather it not do. I don't see
any reason for this in the
sshd_config, which matches a box with the 3.9p1-8 version.
Specifically, all the Kerberos options
are commented out:
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
Could the package in sl-contrib be a build for SLF instead of an SL
build or possibly have some
remnant(s) of the changes for SLF/LTS?
I know I can downgrade to the non-contrib version, but am wondering if
this might be a small oops in
the contrib section? Or perhaps I don't understand the contrib
section's purpose. Then again,
perhaps all of this will clear up with the openssh updates due out
later today for other reasons.
-Wayne
Hi Wayne,
This is not an oops, it is on purpose.
From the README in that directory
"These versions of openssh have been patched to be able to use
both the old and the new versions of gssapi. This allows them
to do kerberos authentication with both kerberized openssh before
openssh 3.9, and after openssh 3.9"
But we do not have the openssh server configured so that it does
kerberos only, like we do in SLF's version of openssh-server.
Why?
Well, if we did, you'd be worrying alot more than just having it do
aklog when you log in. You wouldn't be able to log in any other way
than kerberos. And I don't think you want that.
So we have it configured to have the same settings that you get with the
regular openssh-server that you get from RedHat.
Thanks for the response Troy, but I'll have to put on the SL dunce hat and sit in a corner for a
while, because I've searched in vain for the README or directory you're referring to.
Obviously it doesn't do only Kerberos authentication, since I was able to log in but still I'm
confused...
You say it matches the Redhat settings, yet the aklog never happens on my genuine Redhat servers
which have the same GSSAPI and Kerberos options in their sshd_config files:
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
I also tried uncommenting the "KerberosAuthentication no" and "KerberosGetAFSToken no" lines to be
explicit, but it claims KerberosGetAFSToken is an unsupported option and still tried to aklog, so
I'm further confused. I also tried explicitly setting "GSSAPIAuthentication no", but same thing.
I'll keep wearing the dunce hat until a patient teacher educates me... :-)
-Wayne
Most people who use this version of openssh are really more concerned
with having a openssh client, not the server, that does both the old and
new kerberos.
Anyway ... the real problem is that annoying message about doing aklog
when you log in isn't it?
I remember another lab having that problem and we fixed it for them ...
I think. It might have been changing the aklog stuff in /etc/krb5.conf
... but let me check.
Troy
