[OpenAFS] home on afs woes

Douglas E. Engert deengert@anl.gov
Wed, 04 Jan 2006 14:19:56 -0600 

Russ Allbery wrote:

> Douglas E Engert <deengert@anl.gov> writes:
> 
> 
>>The sshd could accept a forwarded ticket for the sole purpose of using
>>it to get an AFS token so the sshd could access the .k5login file before
>>the krb5_kuserok was called (There might be some other dot files that
>>could also be accessed early.)  Getting this ticket early does not
>>changed the security model, as the checking of the .k5login is to allow
>>access to the local machine, not the AFS file system.  The forwarded
>>ticket and token could be discarded if the krb5_kuserok fails.
> 
> 
> The client is, understandably, not going to forward the ticket until after
> the authentication step is complete, so what this basically means is
> authenticating the user, accepting the forwarded ticket, and then
> reauthenticating the user.  I guess it would be possible to do this, but
> ew.  I'm guessing ew would be the OpenSSH upstream reaction too.

Its part of the GSSAPI exchange, to get the forwarded ticket and is done
before the krb5_kuserok is called outside of gssapi.

> 
> And this doesn't help with the PAM situation, where you don't get an AFS
> token until after pam_setcred is called, which is after pam_authenticate,
> and some programs only call pam_authenticate and never call the other PAM
> functions.  This is probably wrong of them, but still, it shouldn't
> introduce a security hole.
> 

I know pam is a mess and aplications don't call it correctly.

> I suppose you could fall back on the standard PAM cheat of doing
> everything in pam_authenticate and making everything else a no-op, but
> that too breaks in other situations where people call pam_authenticate in
> a different context than pam_setcred (OpenSSH is again at fault).
> 
> I don't see a good solution to this, unfortunately.  I wish that AFS
> supported the directory lookup semantics supported in Unix with execute
> but no read, but I can see why that would be rather hard to do.

Not sure if that would even help. The point I would like is that the .k5login
is only readable if I as a user permit it. i.e. by me forwarding a ticket to
some machinhe so it can read it or by me adding the host on to the ACL of the
directoty.

> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444