[OpenAFS] OpenSSH with krb and afs
Sergio Gelato
Sergio.Gelato@astro.su.se
Sat, 21 Aug 2004 23:18:28 +0200
* Douglas E. Engert [2004-08-20 13:50:36 -0500]:
> Peter Nelson wrote:
> >If I do a completely clean login to the server it works fine and I
> >recieve both krb tickets and afs tokens. However if I login using my
> >kerberos tickets I only recieve a ticket, no token. I'll attatch two
> >logs at the bottom to show what I mean. The version of ssh I'm using is
> >"OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4, OpenSSL 0.9.7d 17 Mar 2004"
> >recompiled to add --with-kerberos5 in debian/rules (why the default
> >debian build explicitly turns this off is beyond me).
>From what I gleaned on debian-kerberos, the default ssh package won't
include Kerberos support until GSS key exchange has been implemented.
Sam Hartman hinted that he would continue to maintain the ssh-krb5
package for another while. Time permitting, I suppose; we may have to
roll our own if he's busy with other things.
> The problem is most likely that when you use the GSSAPI, the GSSPAI
> will store the credentials and set the KRB5CCNAME environment variable,
> but the OpenSSH code is session.c:
>
> if (options.kerberos_get_afs_token && k_hasafs() &&
> (s->authctxt->krb5_ctx != NULL)) {
> char cell[64];
>
> debug("Getting AFS token");
>
> k_setpag();
>
> will not run as there is no krb5_ctx because the GSSAPI has
> the context.
That's almost certainly the case. I posted a patch for this on
openssh-unix-dev back in the days of 3.8. A copy is available at
http://www.astro.su.se/~gelato/patches/openssh-3.8p1-1.diff
It's been working flawlessly for me. I haven't forward-ported it to
3.8.1 or 3.9 (yet), but that shouldn't be too difficult. As to
why the patch (either mine or a functionally equivalent one) wasn't
integrated upstream I have no idea, but that's not my problem.
> A cleaner way would be to use a PAM session or storecreds exit
> to get the PAG and AFS token, as OpenAFS at least in 3.9
> will have the GSSAPI store the KRB5CCNAME in the pam_env.
Some of the platforms I'm interested in don't have PAM (and one of
these, OpenBSD, is rather important to OpenSSH --- maybe less so to
OpenAFS), but apart from that I tend to agree --- at least in theory,
once all the rough edges of PAM vs. privsep etc. are smoothed out.