[OpenAFS] kth-krb, openssh w. afs support on fedora core

David Botsch dwb7@ccmr.cornell.edu
Wed, 8 Oct 2003 17:57:19 -0400


Hi. From reading the README, it seems that we need to be at Krb5, first 
to use gssklog? (We are working on getting there, and are real close 
now :).

Thanks.

On 2003.10.08 15:24 Douglas E. Engert wrote:
> 
> 
> David Botsch wrote:
> >
> > Is there a howto on how to do things with gssapi (or can someone
> offer some
> > pointers)?
> >
> > I recall some previous disucssion with people having issues, but
> would have to
> > search back through archives.
> >
> > If I can get kth-krb to work, then should be able to recompile
> openssh3.4
> > hopefully.
> 
> There are two places to use gssapi, first from the ssh to the sshd
> to both authenticate the user, and to delegate a credential. Then the
> user process started by the sshd could use the credential to
> authenticate
> to a server to get an AFS token.
> 
> The first requires the user to have authenticated on the client, and
> have obtained credentials. For example used Kerberos for login, or
> use kinit. The ssh to sshd can then use the GSSAPI to authenticate
> and delegate a new Kerberos ticket to the SSHD server machine.
> 
> Gssklog does the second of these to authenticate to a gssklogd running
> on
> the AFS database server(s), to get an AFS token. It can use the
> delegate
> credential for this.
> 
> See ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
> 
> aklog can also use the delegated Kerberos credential to get a AFS
> token.
> and can be called from SSHD or a PAM routine.
> 
> For example, I have logged on to my W2K machine using an AD account.
> I can then use SecureCRT with SSH to ssh to a Unix machine using
> GSSAPI
> and delegate a credential. The SSHD on that machine can use gssklog
> via PAM to get me an AFS token so I can access my home directory in
> AFS.
> 
> The point is you don't pass AFS token around, you delegate credentials
> and used these to obtain tokens.
> 
> >
> > On Wed, Oct 08, 2003 at 02:29:01PM -0400, Chaskiel M Grundman wrote:
> > >
> > >
> > > --On Wednesday, October 08, 2003 12:33:27 -0400 David Botsch
> > > <dwb7@ccmr.cornell.edu> wrote:
> > >
> > > > Then, moved on to trying to get openssh going w. afs token
> passing
> > > > support.
> > > IIRC, The afs code was disabled in openssh 3.6 and removed in 3.7
> (it
> > > didn't work with privsep, it was insecure. etc. etc.)
> > >
> > > The new way to accomplish the same task is with GSSAPI credential
> > > delegation. Also IIRC, openssh 3.7 includes a partial but usable
> > > implementation of the GSSAPI code.
> > >
> > > > Ran into the can't compile in afs w/o krb4, so, went to try and
> > > > compile kth-krb 1.2.2, which fails with:
> > > >
> > > > encrypt_ktext.c: In function `encrypt_ktext':
> > > > encrypt_ktext.c:45: error: incompatible types in initialization
> > > The easy way to fix this is to not compile krb4 against openssl
> and let it
> > > use it's own des library. However, doing so may cause you problems
> in the
> > > long run. The other thing you can do is define
> > > OPENSSL_DES_LIBDES_COMPATIBILITY before <openssl/des.h> is
> included,
> > > although supposedly that code is going away at some point.
> > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> > ********************************
> > David William Botsch
> > Consultant/Advisor II
> > CCMR Computing Facility
> > dwb7@ccmr.cornell.edu
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> --
> 
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************