Can't get kerberos5/afs working well

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a mixed linux lab. A server based on debian (ssh 3.4p1) and
clients based on gentoo (ssh version 3.8p1). My infrastructure is based
on mit kerberos 5 and openafs. All I'd like to do is to make ssh
sessions passwordless, based on the tickets. On both systems I use pam
authentication via libpam-krb5 and gain the token via
libpam-openafs-session && aklog (the debian packages). The
module has flags ``use_first_pass forwardable''.

Now, how do I enable passwordless ssh GAINING the correct tickets and
tokens? Those are my settings:

=== ssh 3.8p1 sshd_config excerpt:

KerberosAuthentication yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

=== ssh 3.8p1 ssh_config excerpt:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

=== ssh 3.4p1 sshd_config excerpt:

KerberosAuthentication yes
KerberosTicketCleanup yes
KerberosTgtPassing yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIUseSessionCredCache yes

=== ssh 3.4p1 ssh_config excerpt:

KerberosAuthentication yes
KerberosTGTPassing yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Error: Keyboard not found. Press F1 to continue...

Re: Can't get kerberos5/afs working well

  Richard Silverman

Re: Can't get kerberos5/afs working well

Quoted text here. Click to load it

There's a problem with sshd in 3.7x and 3.8x whereby credentials
established during the PAM authentication phase are not
passed on to the user's shell.  The authentication works but
you won't end up with a Kerberos ticket or AFS token.  See:

Possible solutions:

* Don't use PAM for sshd password authentication, use vanilla

* Rebuild sshd with threading (not recommended, and use 3.8.1p1 if you
do this).

* Use PasswordAuthentication via PAM. (This is not available in 3.7x
or 3.8x, however it will be available in the upcoming 3.9x release and
some vendors have already backported it to their 3.8x packages).

3.9 will be out soon (most likely within a week).  I would either wait
for 3.9 (test a snapshot to see if it resolves your problem) or ask my
vendor about backporting the PAM+PasswordAuthentication patch if they
haven't already.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline