auth sufficient /lib/security/$ISA/pam_krb5afs.so tokens external=sshd use_first_pass

session optional /lib/security/$ISA/pam_krb5afs.so external=sshd

The older pam_afs module does not provide AFS credentials in a correct way for sshd (it does provide credentials, but to a temporary process that dies shortly afterwards, i.e. these credentials never make it into the user session).

Unfortunately, these PAM modules switched in September 2006 (after SLC4 got released), and are still in some cases badly configured (we also had a program "authconfig" that in some cases reset them to the old value) - therefore you will find some SLC machines that do not give a valid AFS token on login. The "ncm-afsclt" NCM module will correctly configure PAM, but may need to be invoked by hand (lcm --configure afsclt)

In addition, please make sure that "UsePAM yes" and "ChallengeResponseAuthentication no" are set in your /etc/ssh/sshd_config. These are the defaults as shipped in the SLC openssh-4.x RPMs, but will not have been taken into account if you have modified /etc/ssh/sshd_config manually. You can use the sshd_config.rpmnew file in the same directory to compare against you current settings in this case.

You can cut&paste the following to get the desired configuration:

# sed -i.old -e 's/^\(.*\)pam_afs.*/\1pam_krb5afs.so external=sshd use_first_pass/' /etc/pam.d/system-auth
# sed -i.old -e 's/^\(.*\)pam_afs.*/\1pam_krb5afs.so use_first_pass/' /etc/pam.d/screensaver-auth
# sed -i.bak -e 's/UsePAM.*/UsePAM yes/' -e 's/ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
# /sbin/service sshd restart