obtain Kerberos afs ticket automatically at login

OkoSanto · 06-03-2009, 06:51 AM

Hi,

I've successfully installed & configured the openafs client. By running

Code:

klog.afs -principal "username"

and giving my password, I get afs access rights to my folder at the university. I'd like to have this happening automatically after login (I mean login on my local machine). Is there any way to script this? (putting a script in /etc/init.d for example?). I tried running an expect script to issue the klog.afs command, but when putting it in /etc/init.d/, it doesn't seem to work (access to my afs folder denied).

I'm confused as to how kerberos tokens relate to local users. If a script in /etc/init.d gets a kerberos token, is the token bound to the root on my machine, or is it also valid for my uid?

irishbitte · 06-03-2009, 07:34 AM

I'm guessing you're using wireless, right? In this case, the wireless connection is made once you have logged in. What you possibly can do is add your startup script to the login scripts, after the 'iwconfig' script.

OkoSanto · 06-03-2009, 08:34 AM

No, I'm using an ethernet connection on this machine, so I should be connected rightaway.

Can you give some more hints? At this point, I don't even know what a script that accomplishes this should look like... Before I had the following expect script

Code:

spawn su <local username>                       
spawn klog.afs -principal <remote username>    
expect "Password:*"                   
send -- "<password>\r"                  
expect eof

which I called from a script in /etc/init.d, i.e.

Code:

#!/bin/bash
expect klogscript

This procedure didn't work, but calling the expect script manually after startup, did grant me access to afs

irishbitte · 06-03-2009, 07:39 PM

Ok, I've tried reading up on this, and I don't have an AFS server to test on, but I do know that it is possible to configure PAM modules for kerberos: /etc/krb5.conf is the starting point. Are your user name and password for AFS the same as your local machine? It may be possible to automatically mount the AFS server using a PAM module.

Definitely you need to look at doing what is described here: http://help.unc.edu/6370 adjusting for your own local parameters.

OkoSanto · 06-04-2009, 09:06 AM

PAM seems to be the way to go, if I want to access my system + afs with a single login. But it's quite a complicated procedure, and it seems that doing things with my level of understanding, could cause some complications (notably me being unable to login again if I screw up the settings...). I'm going to have to postpone this until I have the time to study it more carefully. (If I want to, I don't necessarily want to become a professional unix sysadmin

Seems this afs is not really meant for the casual home user anymore )

irishbitte · 06-04-2009, 06:34 PM

Well, an easy way to ensure that you don't lock yourself out, is create another user on your system with sudo rights, that is, add that new user to the admin group. That way, you can play with your main account, and you have a backdoor to reset things if it all goes wrong. PAM is not that difficult to setup, the problem is testing the setup.

Take a look at this link, this guy seems to have gone through similar things to you: http://www.alittletooquiet.net/text/kerberos-on-ubuntu/

OkoSanto · 06-05-2009, 08:18 AM

Yes, after reading some things about PAM, I'm also feeling less intimidated

.

If I get this right, adding only entries with control "sufficient" or "optional", could also never have the effect of locking me out, right? I suppose adding the wrong entries as "sufficient" could render my system vulnerable to attackers,but security is not really an issue at the moment (I'm mostly playing around with the configs anyway).

OkoSanto · 06-05-2009, 09:13 AM

Ok, its actually pretty easy once you ignore the warnings the like of "you'll lose access to your system if you screw this up!!!" For future reference, I'll give a brief account here.

There are more than a couple of things I don't understand or I'm not sure of, so if you have comments and corrections, please speak up!

apart from the usual (openafs client, kerberos-stuff I already forgot), you need the PAMs pam_krb5 and pam_openafs_session (available on debian and ubuntu as libpam_krb5 and libpam_openafs_session, respectively).

With those PAMs installed, you need to modify the right files in /etc/pam.d . I practically always use KDE and therefore only modified /etc/pam.d/kdm (remark/question: I think this also guarantees that, if I screwed up, I could still use normal login, i.e. through a terminal, and undo the damage??). I think gnome users should modify some file called "/etc/pam.d/gdm" etc?

Anyway, you add some lines to kdm which basically call pam_krb5 and make it obtain a kerberos ticket at login (by encoding the password you type at login and sending it to the kerberos host. Your local password therefore needs to be the same as your password at the kerberos service!) and manage it until the end of your session, as well as a line which calls pam_openafs_session, which gets an afs token from your kerberos ticket.

My /etc/pam.d/kdm therefore looks like this:

Code:

auth    sufficient      pam_krb5.so minimum_uid=1001
auth    optional        pam_openafs_session.so program=/usr/bin/aklog
auth       required     pam_nologin.so
auth       required     pam_env.so readenv=1
auth       required     pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
session    required     pam_limits.so

account sufficient      pam_krb5.so minimum_uid=1001
@include common-account

password sufficient     pam_krb5.so ignore_root debug minimum_uid=1001
@include common-password

session optional pam_krb5.so ignore_root debug minimum_uid=1001
session optional pam_openafs_session.so program=/usr/bin/aklog
@include common-session

where only the lines containing pam_krb5.so and pam_openafs_session.so were added. The thing with minimum_uid serves to guarantee that user nr. 1000 as well as root stay unaffected (is this correct?), in case something goes wrong.

Important bits:

make sure your /etc/krb5.conf configuration file is correct (set your default_realm)), you can check this first by observing that the terminal commands kinit and aklog don't return errors.
your local password needs to be the same as the password of the afs account you want to login to (I believe? But what about username?)

Some links:
http://www.alittletooquiet.net/text/kerberos-on-ubuntu/(example pam_krb5 setup) (a hint from irishbitte)
http://en.gentoo-wiki.com/wiki/OpenA...h_MIT_Kerberos(the most detailed guide I could find, actually explaining all of the above)
http://www.scl.ameslab.gov/scl_user_info/debian.html(openafs setup)
http://web.mit.edu/AFS/sipb/project/.../README.Debian(openafs and Debian and therefore prob. Ubuntu, too)
http://content.hccfl.edu/pollock/AUnix2/PAM-Help.htm(a good page explaining some the concepts and workings of PAMs)

irishbitte · 06-05-2009, 03:40 PM

You're making good progress, sounds great. I'm not exactly sure how AFS works as an implementation, but I imagine that the username / password combo would need to be the same as that on your default kerberos realm. I'm really not certain. It is the golden prize in computing at the moment to develop a Single Sign On system, that will mean you would only need to sign on once at the start of a session, and all the services you use are tied to that Single Sign On. The security aspect is a nightmare, but for convenience? Fantastic!

OkoSanto · 06-06-2009, 05:51 AM

Yes, right now, it works as I wanted it to, though I had to create a new user on my local machine with the same username as I have on the remote machine. I believe there are some krb5.conf options you can set to translate local usernames to remote usernames for this purpose, but I don't quite understand them yet. And anyway, it's time for me to get some actual work done instead of playing with the configuration

.

to be continued, I guess...