On Mon, Oct 08, 2007 at 08:03:03AM -0400, Roberto C. Sánchez wrote: > > roberto@miami:~$ ssh manta > Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com > Could not chdir to home directory /network/home/roberto: Permission denied > /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority > -bash: /network/home/roberto/.bash_profile: Permission denied > -bash-3.00$ logout > -bash: /network/home/roberto/.bash_logout: Permission denied > Connection to manta closed. Apologies for the self reply, but I seem to have found a work around. Hopefully someone coming across this in the archives will be able to use this information. The problem is that sshd's use of processes (instead of threads) means that when pam_krb53.so is invoked to setup the tickets, it is done in a process that the client (or user) never touches. So, the tickets are generated and promptly lost. In the case of NFSv4 mounted home directories this is a real problem, as the xauth and bash processes that are run as the user now cannot access the user's home directory. I also think that my use of key-based logins (i.e., all password logins for ssh on my network are disabled) also contributes to the problem. Additionally, it appears that sshd in Sarge linked against pthreads, so this may not have been a problem then. But Etch's sshd is not threaded. A posting by Russ Alberry on one of the OpenAFS sites mentioned using the -K option to ssh on the client. The configuration file equivalent is to add "GSSAPIDelegateCredentials yes" to /etc/ssh/ssh_config (for system-wide) or to ~/.ssh/config (for per-user) credential delegation. So, now with that directive in my ~/.ssh/config I no longer receive the permission denied, as the current ticket from my current session is forwarded along properly. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature