I've been trying to get a working version of openssh-3.7.1p2 as well. Unfortunately, afs support has been pulled, and the patch posted on the openafs list coredumps when I compile it. The new way that pam is done also introduces errors since pam_authenticate is supposedly called in a seperate thread so that the correct environmental variables are not passed. Even after applying some changes on the openafs list, I'm still not able to get tokens (although I am able to log in at least) when logging in. I've noticed that the new version also breaks Putty using protocol version 2 with AFS (although it works okay if you don't use pam or if you log into a local account, such as root).
Does anyone have a patch to get this working? We would really like to upgrade to a newer version of OpenSSH but PAM support (esp w/pam_afs) is essential. Sean
This is what happens when I put only this in the /etc/pam.conf file: sshd auth optional /usr/lib/security/pam_afs.krb.so.1 ignore_root (mind you, this line works okay with AFS accounts on previous version of openssh): debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/pts/0 debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to "/dev/pts/0" debug1: here 2 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication failed debug1: Calling cleanup 0x3a3dc(0x1279e4) debug1: Calling cleanup 0x476d8(0x0) debug1: session_by_tty: session 0 tty /dev/pts/0 debug1: channel 0: free: server-session, nchannels 1 debug1: session_pty_cleanup: session 0 release /dev/pts/0 debug1: Calling cleanup 0x4f5e0(0x0) debug1: Calling cleanup 0x44404(0x0) debug1: PAM: cleanup debug1: Calling cleanup 0x44404(0x0) debug1: PAM: cleanup client: AFS Password: Connection to waterfall closed by remote host. Connection to waterfall closed. -------------- So credentials are not being set somehow (maybe an incompatable ticket or something?). I put the line here 2 to see where it was failing. Looks like the second instance where do_pam_setcred(1) is being called after the tty is begin set (around line 528 of session.c).
When I put set_token in my /etc/pam.conf file, I do manage to get tickets, but it is always owned by root and not by my uid. Is this why I am not able to get tokens? Having the ticket owned by root also causes other problems if not so (like using imsh with pine to automatically log into the imap server).