Kerberos5/AFS Support in 3.9?

From: Sensei (senseiwa_at_tin.it)
Date: 08/26/04

  • Next message: docks: "Re: HELP please! Why is the agent NOT recognized" 
    To: OpenSSH <secureshell@securityfocus.com>
Date: Thu, 26 Aug 2004 17:30:30 +0200

    Hi. I hope someone can help me.

    I'm trying to make openssh 3.9 support ticket/token forwarding for a
    single sign on: passwordless ssh sessions. I use pam_krb5 for kerberos
    authentication and pam_openafs_session for running aklog, and this is my
    system-auth pam file (used by all services):

    auth required /lib/security/pam_env.so
    auth sufficient /lib/security/pam_unix.so nodelay nullok
    auth sufficient /lib/security/pam_krb5.so forwardable
    use_first_pass
    auth required /lib/security/pam_deny.so

    account required /lib/security/pam_unix.so

    password required /lib/security/pam_cracklib.so retry=3
    password sufficient /lib/security/pam_unix.so nullok md5 shadow
    use_authtok
    password required /lib/security/pam_deny.so

    session required /lib/security/pam_unix.so
    session optional /lib/security/pam_krb5.so
    session optional /lib/security/pam_openafs-krb5.so
    session required /lib/security/pam_limits.so

    Now, I have this problem: the passwordless ssh seems to be really
    broken, since it seems it does *not* forward the kerberos 5 tickets. So,
    every time, I have to enter a password.

    It seems that ssh does not support kerberos and SSO... Please help me!

    PS. I tried Kerberos*, GSSAPI*, UsePAM but *NOTHING* works... 

    -- 
Sensei <mailto:senseiwa@tin.it>
          
The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is moday". (Gustave Flaubert)

  • Next message: docks: "Re: HELP please! Why is the agent NOT recognized"

    Relevant Pages

    • Re: Application Pool timouts.
      ... It is using kerberos to authenticate the user and it is connecting ... anonymous connections being made at this time. ... an idle session which is created by a browser. ... Note that the problem also occurs if i restart IIS while the user has the ...
      (microsoft.public.inetserver.iis.security)
    • Re: Application Pool timouts.
      ... It only happens when using kerberos authentication. ... open and un aware that their session is timed out. ... Can you post the relevant logfile entries from the IIS logfile please? ... security on the web folders is locked down to prevent anonymous logon. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Lets talk about HTTPS Everywhere
      ... session encrypted via https. ... Cookies that allow the user to bypass a security measure are often ... As per kerberos, I have not read any case of "session hijacking", I ... Still, if you store your tickets on a flash drive, I ...
      (Debian-User)
    • Re: Help: Clear Kerberos Logins Information
      ... store that in a PHP session. ... This method also has the added bonus of loosely coupling Kerberos from ... Kerberos can be just one of several available login ...
      (comp.protocols.kerberos)
    • misc qs: not loading profile from memory, not alloc memory on mk_priv/mk_safe, no replay cache?
      ... Hi, I'm planning on using Kerberos for my video game, and so I am probably using it slightly differently than most installations, and I want to make sure I'm doing the right thing security-wise, and making any changes in the right places. ... I was hoping to make versions of mk_priv and mk_safe that use already allocated buffers, but this seems like it'd be a pretty huge change and there's a lot more memory allocation in those functions than just the output buffer, so it's probably not worth it. ... I'm trying to understand when it's safe to not use a replay cache, and from reading the internet, it seems like if I have the packets in a session have any kind of unique challenge-response data in them, I don't need to worry about replays, right? ...
      (comp.protocols.kerberos)