On Fri, Feb 03, 2006 at 01:27:01PM -0600, Troy Dawson wrote:
> Hi Doug,
> I'm trying to figure out what your trying to do, just not quite sure.
Sorry, I should have been more specific. I have an openafs server
authenticated with MIT K5 and I'm trying to set up an access point for
users to log in. Once logged into the access point with a password, my
plan is to use openssh's gssapi-with-mic from there to forward K5
tickets from there to other boxen in the system. My hangup is setting
up user logon to the access point box.
> Are you trying to log into a machine using your AFS password? a local
> password? a kerberos password?
A kerberos password.
> When you log in, are you expeting an AFS token? a kerberos5 ticket? a
> kerberos4 ticket?
My eventual goal is an AFS token and a K5 ticket. The setup I have now
is an effort to debug the situation by just trying to end up with a K5
ticket. K4 is not an issue (so I really don't need v4_convert).
> Also, does this work for a local user sitting down at the console?
> openssh and kerberos has been a headache, so getting ssh out of the
> picture clears up alot of things.
Yes, it works fine on the console.
Thanks again,
--Doug
>
> Troy
>
> Douglas Fuller wrote:
> >I'm also having trouble configuring PAM in an afs/krb5 environment using
> >SL4.2. On Debian, I've used pam_krb5 and libpam-openafs-session for
> >credentials cache/token setup, and I'm looking for similar functionality
> >(though putting aklog in a startup script would be fine). Anyhow, I seem
> >to be misunderstanding something.
> >
> >For now, I'm just trying to authenticate and end up with a credentials
> >cache on login (I can kinit fine). What is strange is the pam_krb5 debug
> >output given the setup below. The results are different based on whether
> >the user gives an incorrect password on the first attempt. This seems to
> >indicate something else is reading the password, since pam_krb5 does not
> >appear to receive it from the first prompt (see notes below).
> >
> >Even when pam_krb5 does get a TGT, the session module can't find it.
> >Thus, no credentials cache anyway. Is KRB5CCNAME not being propogated or
> >something?
> >
> >TIA,
> >--Doug Fuller
> >--University of North Texas
> >
> >/etc/ssh/sshd_config:
> >PasswordAuthentication no
> >KerberosAuthentication no
> >GSSAPIAuthentication no
> >UsePrivilegeSeparation no
> >UsePAM yes
> >
> >/etc/pam.d/sshd:
> >auth required pam_krb5.so debug forwardable
> >account required pam_unix.so
> >password required pam_krb.5so
> >session required pam_krb5.so forwardable
> >
> >Local passwords are disabled.
> >
> >When I log in, here is the output to /var/log/secure:
> >sshd[30568]: Accepted keyboard-interactive/pam for from port 34025 ssh2 #
> ><-- Who is this?
> >sshd[30568]: pam_krb5[30568]: configured realm # <-- same PID. So is this
> >session output from pam_krb5?
> >sshd[30568]: pam_krb5[30568]: flags: forwardable
> >sshd[30568]: pam_krb5[30568]: flag: ignore_afs
> >sshd[30568]: pam_krb5[30568]: flag: user_check
> >sshd[30568]: pam_krb5[30568]: flag: krb4_convert
> >sshd[30568]: pam_krb5[30568]: flag: warn
> >sshd[30568]: pam_krb5[30568]: ticket lifetime: 100000
> >sshd[30568]: pam_krb5[30568]: renewable lifetime: 100000
> >sshd[30568]: pam_krb5[30568]: banner: Kerberos 5
> >sshd[30568]: pam_krb5[30568]: ccache dir: /tmp
> >sshd[30568]: pam_krb5[30568]: keytab: /etc/krb5.keytab
> >sshd[30568]: pam_krb5[30568]: no v5 creds for user, skipping session setup
> >sshd[30568]: pam_krb5[30568]: pam_open_session returning 0 (Success)
> >sshd[30570]: pam_krb5[30570]: no v5 creds for user, skipping session setup
> >sshd[30570]: pam_krb5[30570]: configured realm
> >sshd[30570]: pam_krb5[30570]: flags: forwardable
> >sshd[30570]: pam_krb5[30570]: flag: ignore_afs
> >sshd[30570]: pam_krb5[30570]: flag: user_check
> >sshd[30570]: pam_krb5[30570]: flag: krb4_convert
> >sshd[30570]: pam_krb5[30570]: flag: warn
> >sshd[30570]: pam_krb5[30570]: ticket lifetime: 100000
> >sshd[30570]: pam_krb5[30570]: renewable lifetime: 100000
> >sshd[30570]: pam_krb5[30570]: banner: Kerberos 5
> >sshd[30570]: pam_krb5[30570]: ccache dir: /tmp
> >sshd[30570]: pam_krb5[30570]: keytab: /etc/krb5.keytab
> >sshd[30570]: pam_krb5[30570]: called to update credentials for
> >sshd[30570]: pam_krb5[30570]: _pam_krb5_sly_refresh returning 0 (Success)
> >
> >Here is the output when the user enters his password incorrectly on the
> >first attempt:
> >
> >sshd[30683]: error: PAM: Authentication failure for # <--- Who is this?
> >sshd[30685]: pam_krb5[30685]: configured realm
> >sshd[30685]: pam_krb5[30685]: flags: forwardable
> >sshd[30685]: pam_krb5[30685]: flag: ignore_afs
> >sshd[30685]: pam_krb5[30685]: flag: user_check
> >sshd[30685]: pam_krb5[30685]: flag: krb4_convert
> >sshd[30685]: pam_krb5[30685]: flag: warn
> >sshd[30685]: pam_krb5[30685]: ticket lifetime: 100000
> >sshd[30685]: pam_krb5[30685]: renewable lifetime: 100000
> >sshd[30685]: pam_krb5[30685]: banner: Kerberos 5
> >sshd[30685]: pam_krb5[30685]: ccache dir: /tmp
> >sshd[30685]: pam_krb5[30685]: keytab: /etc/krb5.keytab
> >sshd[30685]: pam_krb5[30685]: called to authenticate
> >sshd[30685]: pam_krb5[30685]: authenticating # <-- second password prompt
> >here
> >sshd[30685]: pam_krb5[30685]: saving newly-entered password for use by
> >other modules
> >sshd[30685]: pam_krb5[30685]: trying newly-entered password for
> >sshd[30685]: pam_krb5[30685]: authenticating to 'krbtgt'
> >sshd[30685]: pam_krb5[30685]: krb5_get_init_creds_password(krbtgt)
> >returned 0 (Success)
> >sshd[30685]: pam_krb5[30685]: got result 0 (Success)
> >sshd[30685]: pam_krb5[30685]: obtaining v4-compatible key
> >sshd[30685]: pam_krb5[30685]: obtained des-cbc-crc v5 creds
> >sshd[30685]: pam_krb5[30685]: converting v5 creds to v4 creds (etype = 1)
> >sshd[30685]: pam_krb5[30685]: conversion succeeded
> >sshd[30685]: pam_krb5[30685]: authentication succeeds for
> >sshd[30685]: pam_krb5[30685]: pam_authenticate returning 0 (Success)
> >sshd[30683]: Accepted keyboard-interactive/pam port 34049 ssh2
> >sshd[30683]: pam_krb5[30683]: configured realm
> >sshd[30683]: pam_krb5[30683]: flags: forwardable
> >sshd[30683]: pam_krb5[30683]: flag: ignore_afs
> >sshd[30683]: pam_krb5[30683]: flag: user_check
> >sshd[30683]: pam_krb5[30683]: flag: krb4_convert
> >sshd[30683]: pam_krb5[30683]: flag: warn
> >sshd[30683]: pam_krb5[30683]: ticket lifetime: 100000
> >sshd[30683]: pam_krb5[30683]: renewable lifetime: 100000
> >sshd[30683]: pam_krb5[30683]: banner: Kerberos 5
> >sshd[30683]: pam_krb5[30683]: ccache dir: /tmp
> >sshd[30683]: pam_krb5[30683]: keytab: /etc/krb5.keytab
> >sshd[30683]: pam_krb5[30683]: no v5 creds for user, skipping session setup
> >sshd[30683]: pam_krb5[30683]: pam_open_session returning 0 (Success)
> >sshd[30686]: pam_krb5[30686]: no v5 creds for user, skipping session setup
> >sshd[30686]: pam_krb5[30686]: configured realm
> >sshd[30686]: pam_krb5[30686]: flags: forwardable
> >sshd[30686]: pam_krb5[30686]: flag: ignore_afs
> >sshd[30686]: pam_krb5[30686]: flag: user_check
> >sshd[30686]: pam_krb5[30686]: flag: krb4_convert
> >sshd[30686]: pam_krb5[30686]: flag: warn
> >sshd[30686]: pam_krb5[30686]: ticket lifetime: 100000
> >sshd[30686]: pam_krb5[30686]: renewable lifetime: 100000
> >sshd[30686]: pam_krb5[30686]: banner: Kerberos 5
> >sshd[30686]: pam_krb5[30686]: ccache dir: /tmp
> >sshd[30686]: pam_krb5[30686]: keytab: /etc/krb5.keytab
> >sshd[30686]: pam_krb5[30686]: called to update credentials for
> >sshd[30686]: pam_krb5[30686]: _pam_krb5_sly_refresh returning 0 (Success)
>
>
> --
> __________________________________________________
> Troy Dawson [log in to unmask] (630)840-6468
> Fermilab ComputingDivision/CSS CSI Group
> __________________________________________________
|