[OpenAFS] OpenSSH with krb and afs

Peter Nelson pnelson@andrew.cmu.edu
Thu, 19 Aug 2004 17:22:47 -0500 

So after a few hours of hacking around I finally have kerberos-based 
authentication *almost* completely work.  I'm using a combination of 
pam_krb5 and pam_openafs_session for login to get tickets and tokens and 
that works fine.  I read however that ssh's privilage seperation breaks 
the pam modules so I'm using kerberos built into ssh.  Here is the 
relevent configuration I have from sshd_config that almost works:

KerberosAuthentication yes
KerberosGetAFSToken yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes

If I do a completely clean login to the server it works fine and I 
recieve both krb tickets and afs tokens.  However if I login using my 
kerberos tickets I only recieve a ticket, no token.  I'll attatch two 
logs at the bottom to show what I mean.  The version of ssh I'm using is 
"OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4, OpenSSL 0.9.7d 17 Mar 2004" 
recompiled to add --with-kerberos5 in debian/rules (why the default 
debian build explicitly turns this off is beyond me).

Thanks,
Peter

This works fine:

avatar:~$ klist
klist: No ticket file: /tmp/krb5cc_1000

   V4-ticket file: /tmp/tkt1000
klist: No ticket file (tf_util)
avatar:~$ ssh kurma
rufus@kurma's password:
kurma:~$ klist
Credentials cache: FILE:/tmp/krb5cc_lh9209
        Principal: rufus@HACKISH.ORG

  Issued           Expires          Principal
Aug 19 18:13:33  Aug 20 04:13:33  krbtgt/HACKISH.ORG@HACKISH.ORG
Aug 19 18:13:33  Aug 20 04:13:33  afs@HACKISH.ORG

   V4-ticket file: /tmp/tkt1000
klist: No ticket file (tf_util)

This doesn't work:

avatar:~$ kinit
rufus@HACKISH.ORG's Password:
avatar:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: rufus@HACKISH.ORG

  Issued           Expires          Principal
Aug 19 17:16:58  Aug 20 03:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
Aug 19 17:16:58  Aug 20 03:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
Aug 19 17:16:59  Aug 20 03:16:58  afs@HACKISH.ORG

   V4-ticket file: /tmp/tkt1000
        Principal: rufus@HACKISH.ORG

  Issued           Expires          Principal
Aug 19 17:16:58  Aug 20 03:16:58  krbtgt.HACKISH.ORG@HACKISH.ORG
avatar:~$ ssh kurma
kurma:~$ klist
Credentials cache: FILE:/tmp/krb5cc_Xk9316
        Principal: rufus@HACKISH.ORG

  Issued           Expires          Principal
Aug 19 18:17:41  Aug 20 04:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG

   V4-ticket file: /tmp/tkt1000
klist: No ticket file (tf_util)