On Fri, Feb 03, 2006 at 01:27:01PM -0600, Troy Dawson wrote:
> Hi Doug,
> I'm trying to figure out what your trying to do, just not quite sure.
 
Sorry, I should have been more specific.  I have an openafs server
authenticated with MIT K5 and I'm trying to set up an access point for
users to log in.  Once logged into the access point with a password, my
plan is to use openssh's gssapi-with-mic from there to forward K5
tickets from there to other boxen in the system.  My hangup is setting
up user logon to the access point box.

> Are you trying to log into a machine using your AFS password?  a local 
> password?  a kerberos password?
  
A kerberos password.

> When you log in, are you expeting an AFS token?  a kerberos5 ticket? a 
> kerberos4 ticket?
  
My eventual goal is an AFS token and a K5 ticket.  The setup I have now
is an effort to debug the situation by just trying to end up with a K5
ticket.  K4 is not an issue (so I really don't need v4_convert).

> Also, does this work for a local user sitting down at the console? 
> openssh and kerberos has been a headache, so getting ssh out of the 
> picture clears up alot of things.

Yes, it works fine on the console.

Thanks again,
--Doug

> 
> Troy
> 
> Douglas Fuller wrote:
> >I'm also having trouble configuring PAM in an afs/krb5 environment using 
> >SL4.2.  On Debian, I've used pam_krb5 and libpam-openafs-session for 
> >credentials cache/token setup, and I'm looking for similar functionality 
> >(though putting aklog in a startup script would be fine).  Anyhow, I seem 
> >to be misunderstanding something.
> >
> >For now, I'm just trying to authenticate and end up with a credentials 
> >cache on login (I can kinit fine).  What is strange is the pam_krb5 debug 
> >output given the setup below.  The results are different based on whether 
> >the user gives an incorrect password on the first attempt.  This seems to 
> >indicate something else is reading the password, since pam_krb5 does not 
> >appear to receive it from the first prompt (see notes below).
> >
> >Even when pam_krb5 does get a TGT, the session module can't find it.  
> >Thus, no credentials cache anyway.  Is KRB5CCNAME not being propogated or 
> >something?
> >
> >TIA,
> >--Doug Fuller
> >--University of North Texas
> >
> >/etc/ssh/sshd_config:
> >PasswordAuthentication no
> >KerberosAuthentication no
> >GSSAPIAuthentication no
> >UsePrivilegeSeparation no
> >UsePAM yes
> >
> >/etc/pam.d/sshd:
> >auth     required pam_krb5.so debug forwardable
> >account  required pam_unix.so
> >password required pam_krb.5so
> >session  required pam_krb5.so forwardable
> >
> >Local passwords are disabled.
> >
> >When I log in, here is the output to /var/log/secure:
> >sshd[30568]: Accepted keyboard-interactive/pam for from  port 34025 ssh2 # 
> ><-- Who is this?
> >sshd[30568]: pam_krb5[30568]: configured realm # <-- same PID.  So is this 
> >session output from pam_krb5?
> >sshd[30568]: pam_krb5[30568]: flags: forwardable
> >sshd[30568]: pam_krb5[30568]: flag: ignore_afs
> >sshd[30568]: pam_krb5[30568]: flag: user_check
> >sshd[30568]: pam_krb5[30568]: flag: krb4_convert
> >sshd[30568]: pam_krb5[30568]: flag: warn
> >sshd[30568]: pam_krb5[30568]: ticket lifetime: 100000
> >sshd[30568]: pam_krb5[30568]: renewable lifetime: 100000
> >sshd[30568]: pam_krb5[30568]: banner: Kerberos 5
> >sshd[30568]: pam_krb5[30568]: ccache dir: /tmp
> >sshd[30568]: pam_krb5[30568]: keytab: /etc/krb5.keytab
> >sshd[30568]: pam_krb5[30568]: no v5 creds for user, skipping session setup
> >sshd[30568]: pam_krb5[30568]: pam_open_session returning 0 (Success)
> >sshd[30570]: pam_krb5[30570]: no v5 creds for user, skipping session setup
> >sshd[30570]: pam_krb5[30570]: configured realm
> >sshd[30570]: pam_krb5[30570]: flags: forwardable
> >sshd[30570]: pam_krb5[30570]: flag: ignore_afs
> >sshd[30570]: pam_krb5[30570]: flag: user_check
> >sshd[30570]: pam_krb5[30570]: flag: krb4_convert
> >sshd[30570]: pam_krb5[30570]: flag: warn
> >sshd[30570]: pam_krb5[30570]: ticket lifetime: 100000
> >sshd[30570]: pam_krb5[30570]: renewable lifetime: 100000
> >sshd[30570]: pam_krb5[30570]: banner: Kerberos 5
> >sshd[30570]: pam_krb5[30570]: ccache dir: /tmp
> >sshd[30570]: pam_krb5[30570]: keytab: /etc/krb5.keytab
> >sshd[30570]: pam_krb5[30570]: called to update credentials for
> >sshd[30570]: pam_krb5[30570]: _pam_krb5_sly_refresh returning 0 (Success)
> >
> >Here is the output when the user enters his password incorrectly on the 
> >first attempt:
> >
> >sshd[30683]: error: PAM: Authentication failure for # <--- Who is this?
> >sshd[30685]: pam_krb5[30685]: configured realm
> >sshd[30685]: pam_krb5[30685]: flags: forwardable
> >sshd[30685]: pam_krb5[30685]: flag: ignore_afs
> >sshd[30685]: pam_krb5[30685]: flag: user_check
> >sshd[30685]: pam_krb5[30685]: flag: krb4_convert
> >sshd[30685]: pam_krb5[30685]: flag: warn
> >sshd[30685]: pam_krb5[30685]: ticket lifetime: 100000
> >sshd[30685]: pam_krb5[30685]: renewable lifetime: 100000
> >sshd[30685]: pam_krb5[30685]: banner: Kerberos 5
> >sshd[30685]: pam_krb5[30685]: ccache dir: /tmp
> >sshd[30685]: pam_krb5[30685]: keytab: /etc/krb5.keytab
> >sshd[30685]: pam_krb5[30685]: called to authenticate
> >sshd[30685]: pam_krb5[30685]: authenticating # <-- second password prompt 
> >here
> >sshd[30685]: pam_krb5[30685]: saving newly-entered password for use by 
> >other modules
> >sshd[30685]: pam_krb5[30685]: trying newly-entered password for
> >sshd[30685]: pam_krb5[30685]: authenticating to 'krbtgt'
> >sshd[30685]: pam_krb5[30685]: krb5_get_init_creds_password(krbtgt) 
> >returned 0 (Success)
> >sshd[30685]: pam_krb5[30685]: got result 0 (Success)
> >sshd[30685]: pam_krb5[30685]: obtaining v4-compatible key
> >sshd[30685]: pam_krb5[30685]: obtained des-cbc-crc v5 creds
> >sshd[30685]: pam_krb5[30685]: converting v5 creds to v4 creds (etype = 1)
> >sshd[30685]: pam_krb5[30685]: conversion succeeded
> >sshd[30685]: pam_krb5[30685]: authentication succeeds  for
> >sshd[30685]: pam_krb5[30685]: pam_authenticate returning 0 (Success)
> >sshd[30683]: Accepted keyboard-interactive/pam port 34049 ssh2
> >sshd[30683]: pam_krb5[30683]: configured realm
> >sshd[30683]: pam_krb5[30683]: flags: forwardable
> >sshd[30683]: pam_krb5[30683]: flag: ignore_afs
> >sshd[30683]: pam_krb5[30683]: flag: user_check
> >sshd[30683]: pam_krb5[30683]: flag: krb4_convert
> >sshd[30683]: pam_krb5[30683]: flag: warn
> >sshd[30683]: pam_krb5[30683]: ticket lifetime: 100000
> >sshd[30683]: pam_krb5[30683]: renewable lifetime: 100000
> >sshd[30683]: pam_krb5[30683]: banner: Kerberos 5
> >sshd[30683]: pam_krb5[30683]: ccache dir: /tmp
> >sshd[30683]: pam_krb5[30683]: keytab: /etc/krb5.keytab
> >sshd[30683]: pam_krb5[30683]: no v5 creds for user, skipping session setup
> >sshd[30683]: pam_krb5[30683]: pam_open_session returning 0 (Success)
> >sshd[30686]: pam_krb5[30686]: no v5 creds for user, skipping session setup
> >sshd[30686]: pam_krb5[30686]: configured realm
> >sshd[30686]: pam_krb5[30686]: flags: forwardable
> >sshd[30686]: pam_krb5[30686]: flag: ignore_afs
> >sshd[30686]: pam_krb5[30686]: flag: user_check
> >sshd[30686]: pam_krb5[30686]: flag: krb4_convert
> >sshd[30686]: pam_krb5[30686]: flag: warn
> >sshd[30686]: pam_krb5[30686]: ticket lifetime: 100000
> >sshd[30686]: pam_krb5[30686]: renewable lifetime: 100000
> >sshd[30686]: pam_krb5[30686]: banner: Kerberos 5
> >sshd[30686]: pam_krb5[30686]: ccache dir: /tmp
> >sshd[30686]: pam_krb5[30686]: keytab: /etc/krb5.keytab
> >sshd[30686]: pam_krb5[30686]: called to update credentials for
> >sshd[30686]: pam_krb5[30686]: _pam_krb5_sly_refresh returning 0 (Success)
> 
> 
> -- 
> __________________________________________________
> Troy Dawson  [log in to unmask]  (630)840-6468
> Fermilab  ComputingDivision/CSS  CSI Group
> __________________________________________________