[OpenAFS] OpenSSH with krb and afs

Christopher D. Clausen cclausen@acm.org
Fri, 20 Aug 2004 11:55:47 -0500 

Peter Nelson wrote:
> So after a few hours of hacking around I finally have kerberos-based
> authentication *almost* completely work.  I'm using a combination of
> pam_krb5 and pam_openafs_session for login to get tickets and tokens
> and that works fine.  I read however that ssh's privilage seperation
> breaks the pam modules so I'm using kerberos built into ssh.  Here is
> the relevent configuration I have from sshd_config that almost works:
>
> KerberosAuthentication yes
> KerberosGetAFSToken yes
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
>
> If I do a completely clean login to the server it works fine and I
> recieve both krb tickets and afs tokens.  However if I login using my
> kerberos tickets I only recieve a ticket, no token.  I'll attatch two
> logs at the bottom to show what I mean.  The version of ssh I'm using
> is "OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4, OpenSSL 0.9.7d 17 Mar 2004"
> recompiled to add --with-kerberos5 in debian/rules (why the default
> debian build explicitly turns this off is beyond me).
>
> Thanks,
> Peter
>
> This works fine:
>
> avatar:~$ klist
> klist: No ticket file: /tmp/krb5cc_1000
>
>   V4-ticket file: /tmp/tkt1000
> klist: No ticket file (tf_util)
> avatar:~$ ssh kurma
> rufus@kurma's password:
> kurma:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_lh9209
>        Principal: rufus@HACKISH.ORG
>
>  Issued           Expires          Principal
> Aug 19 18:13:33  Aug 20 04:13:33  krbtgt/HACKISH.ORG@HACKISH.ORG
> Aug 19 18:13:33  Aug 20 04:13:33  afs@HACKISH.ORG
>
>   V4-ticket file: /tmp/tkt1000
> klist: No ticket file (tf_util)
>
> This doesn't work:
>
> avatar:~$ kinit
> rufus@HACKISH.ORG's Password:
> avatar:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>        Principal: rufus@HACKISH.ORG
>
>  Issued           Expires          Principal
> Aug 19 17:16:58  Aug 20 03:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
> Aug 19 17:16:58  Aug 20 03:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
> Aug 19 17:16:59  Aug 20 03:16:58  afs@HACKISH.ORG
>
>   V4-ticket file: /tmp/tkt1000
>        Principal: rufus@HACKISH.ORG
>
>  Issued           Expires          Principal
> Aug 19 17:16:58  Aug 20 03:16:58  krbtgt.HACKISH.ORG@HACKISH.ORG
> avatar:~$ ssh kurma
> kurma:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_Xk9316
>        Principal: rufus@HACKISH.ORG
>
>  Issued           Expires          Principal
> Aug 19 18:17:41  Aug 20 04:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
>
>   V4-ticket file: /tmp/tkt1000
> klist: No ticket file (tf_util)

Is there a particular reason why you need openssh 3.8?  If not, use the 
ssh-krb5 package based on OpenSSH 3.6.

apt-get install ssh-krb5

ssh -K hostname

The debian ssh-krb package has this option to forward credentials 
instead of just using them for authentication.  You need to forward them 
in order to get AFS tokens on the remote machine.

I believe that the ssh-krb5 package based on openssh 3.8 will be 
available soon.

Also, there are GSSAPI and Kerberos options in /etc/ssh/ssh_config that 
you need to set for the ssh client to use:
KerberosAuthentication yes
KerberosTGTPassing yes
GSSAPIAuthentication yes

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin