openssh-3.7.1_p2-r2 does not work with pam_krb5(afs). There are no tickets/afs tokens, although the system lets you in. I have found the workaround in SuSE 9.0. 1) Patch for KRB5CCNAME: --- gss-serv-krb5.c +++ gss-serv-krb5.c @@ -178,7 +178,9 @@ client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); client->store.envvar = "KRB5CCNAME"; - client->store.envval = xstrdup(client->store.filename); + int envval_len = strlen(client->store.filename) + 6; + if (client->store.envval = xmalloc (envval_len)) + snprintf(client->store.envval,envval_len,"FILE:%s",client->store.fil ename); #ifdef USE_PAM if (options.use_pam) 2) sshd has to be linked with pthread library in order not to loose krb5 environment vars. I have replaced the configure line in the ebuild with LDFLAGS="-lpthread" CFLAGS="-DUSE_POSIX_THREADS ${CFLAGS}" \ CXXFLAGS="-DUSE_POSIX_THREADS ${CXXFLAGS}" \ ./configure \ sshd works as expected. Could that be included in the official ebuild? May be with "use kerberos" ... Best regards, Andrej
Is this still a problem in 3.8?
Yes, it seems to be, even with "KerberosGetAFSToken yes" in /etc/ssh/sshd_config.
The current openssh ebuild (openssh-3.8_p1) still does not work with pam_krb5(afs). Although users can be authenticated, their tokens are not saved. This is due to the way pam modules are called from inside OpenSSH; other programs (like login, xdm, etc) don't have that problem. A workaround patch has been proposed; get it at http://itp.tugraz.at/Comp/Resources/OpenSSH/openssh-setcred.patch
does the aforementioned patch resolve this ?
*** Bug 63147 has been marked as a duplicate of this bug. ***
In SuSE 9.x builds I have found a solution. If ssh is compiled with pthreads, it works OK. No additional patches are needed. Maybe that can be a default or an use flag (like pthreads) could be implemented in the ebuild. (tested with openssh 3.8x 3.9x 4.0) So I have simply replaced the line econf \ with LDFLAGS="-lpthread" CFLAGS="-DUSE_POSIX_THREADS ${CFLAGS}" \ CXXFLAGS="-DUSE_POSIX_THREADS ${CXXFLAGS}" \ econf \
openssh-3.9_p1-r2 seems not to work with pam_krb5afs. pam_sm_setcred() returns 18 (No module specific data is present)
OK, The problem seems to be resolved with openssh 4.1, and it might also work with previous openssh versions (not checked). sshd_config should have: PasswordAuthentication yes ChallengeResponseAuthentication no (http://bugzilla.mindrot.org/show_bug.cgi?id=688)
ok, sounds good then ... thanks for checking this again