[OpenAFS] OpenSSH with krb and afs
Douglas E. Engert
deengert@anl.gov
Mon, 23 Aug 2004 09:14:51 -0500
Peter Nelson wrote:
> Douglas E. Engert wrote:
>
>> Peter Nelson wrote:
>>
>>> So after a few hours of hacking around I finally have kerberos-based
>>> authentication *almost* completely work. I'm using a combination of
>>> pam_krb5 and pam_openafs_session for login to get tickets and tokens
>>> and that works fine. I read however that ssh's privilage seperation
>>> breaks the pam modules so I'm using kerberos built into ssh. Here is
>>> the relevent configuration I have from sshd_config that almost works:
>>
>>
>> The problem is most likely that when you use the GSSAPI, the GSSPAI
>> will store the credentials and set the KRB5CCNAME environment variable,
>> but the OpenSSH code is session.c:
>
>
> Thanks for the pointer. I did a bit more searching and found a patch on
> the openssh mailing list that fixes up at code in session.c to use the
> gssapi credentials. Seems to be working perfectly so I wonder why the
> patch wasn't accepted.
Most likely the patch was not accepted because it adds even more AFS
and Kerberos specific code to OpenSSH. They are very picky, as well they
should be about ading code. Even if it is #ifdef'ed this is
a problem if one wants to use the vendors builds of OpenSSH, as the vendor
may not build with AFS.
The OpenSSH does try and add to the PAM env the KRB5CCNAME, so it
can be used by a PAM routine. But then have it too late to be
use corretly. (I did send in a fix for this via e-mail.)
The use of a PAM sesion or setcreds routine to use the KRB5CCNAME
to get the PAG and tokens looks like a much cleaner approach
for OpenSSH vendors and OPenAFS.
>
> <http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107784415709841&w=2>
>
> -Peter
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444