[OpenAFS] AFS via SSH tunnel

Andreas Haupt andreas.haupt@desy.de
Wed, 02 Jul 2025 09:29:21 +0200 

--=-ShcfpOqHrHj6LOJPdBze
Content-Type: multipart/alternative; boundary="=-aFBwIKX3uYurCH09RkL9"


--=-aFBwIKX3uYurCH09RkL9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

although maybe a bit more complicated, I managed to make AFS client
work with sshuttle (tproxy mode). Callbacks sent by the servers might
be an issue, though.

Cheers,
Andreas

On Sun, 2025-06-29 at 20:25 -0400, Ernesto Alfonso wrote:
> I have an AFS server at home that's not exposed to the public
> internet. When I'm not home, occasionally I'd like to have secure
> access to the file system.
>=20
> At first I tried to VPN into my home network to have access to the
> AFS server as a local host, but I'm having trouble setting this up
> right now for reasons not related to AFS--some openvpn server issue
> where I'm able to establish the VPN connection but unable to see any
> other hosts except the VPN server itself.
>=20
> My current attempt is to use SSH to forward all the relevant openafs
> ports as local services, and then try to trick my AFS client into
> connecting to 127.0.0.1. I'm forwarding the ports 88, 7000-7007,
> using a command similar to this:
>=20
> =C2=A0 =C2=A0 ssh -N myhome.com -L 88:afsserver:88 -L 7000:afsserver:7000=
 -L
> 7001:afsserver:7001 -L 7002:afsserver:7002 -L 7003:afsserver:7003 -L
> 7004:afsserver:7004 -L 7005:afsserver:7005 -L 7006:afsserver:7006 -L
> 7007:afsserver:7007
>=20
> myhome.com is an intermediate host that exposes an SSH server, and
> can locally access afsserver.local. The ports are forwarded to my
> laptop's localhost. I then manipulate /etc/hosts to name 127.0.0.1 as
> afsserver, and I also update CellServDB.
>=20
> After this, I try to run=C2=A0kinit myuser && aklog -d
>=20
> The kinit command succeeds, but aklog -d fails, curiously with exit
> status 0.
>=20
> =C2=A0 =C2=A0=C2=A0
> =C2=A0 =C2=A0 $ aklog -d
> =C2=A0 =C2=A0 Authenticating to cell afs.example.com (server afs.example.=
com).
> =C2=A0 =C2=A0 Trying to authenticate to user's realm AFS.EXAMPLE.COM.
> =C2=A0 =C2=A0 Getting tickets: afs/afs.example.com@AFS.EXAMPLE.COM
> =C2=A0 =C2=A0 Using Kerberos V5 ticket natively
> =C2=A0 =C2=A0 About to resolve name admin to id in cell afs.example.com.
> =C2=A0 =C2=A0 Error -1
> =C2=A0 =C2=A0 Setting tokens. admin @ afs.example.com
> =C2=A0 =C2=A0 =E2=96=88[laptop][Downloads][0]$
>=20
> I'm also unable to read any AFS files:
>=20
> =C2=A0 =C2=A0 cat /afs/afs.example.com/public/hola
> =C2=A0 =C2=A0 cat: /afs/afs.example.com/public/hola: Connection timed out
>=20
> How should human users of AFS interpret this "Error -1", and what can
> I do about it?=C2=A0
>=20
> I would also welcome suggestions as to how to alternative ways to
> achieve my original goal, though I wouldn't feel inclined to open up
> all the AFS ports directly to the public.
>=20
> Thanks,
>=20
> Ernesto

--=20
| Andreas Haupt | E-Mail: andreas.haupt@desy.de
| DESY, Zeuthen | WWW: http://www.zeuthen.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen |







--=-aFBwIKX3uYurCH09RkL9
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div>Hi,</div><div><br></div><div>although maybe a=
 bit more complicated, I managed to make AFS client work with sshuttle (tpr=
oxy mode). Callbacks sent by the servers might be an issue, though.</div><d=
iv><br></div><div>Cheers,</div><div>Andreas</div><div><br></div><div>On Sun=
, 2025-06-29 at 20:25 -0400, Ernesto Alfonso wrote:</div><blockquote type=
=3D"cite" style=3D"margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding=
-left:1ex"><div dir=3D"ltr">I have an AFS server at home that's not exposed=
 to the public internet. When I'm not home, occasionally I'd like to have s=
ecure access to the file system.<div><br></div><div>At first I tried to VPN=
 into my home network to have access to the AFS server as a local host, but=
 I'm having trouble setting this up right now for reasons not related to AF=
S--some openvpn server issue where I'm able to establish the VPN connection=
 but unable to see any other hosts except the VPN server itself.</div><div>=
<br></div><div>My current attempt is to use SSH to forward all the relevant=
 openafs ports as local services, and then try to trick my AFS client into =
connecting to 127.0.0.1. I'm forwarding the ports 88, 7000-7007, using a co=
mmand similar to this:</div><div><br></div><div>&nbsp; &nbsp; ssh -N <a hre=
f=3D"http://myhome.com">myhome.com</a> -L 88:afsserver:88 -L 7000:afsserver=
:7000 -L 7001:afsserver:7001 -L 7002:afsserver:7002 -L 7003:afsserver:7003 =
-L 7004:afsserver:7004 -L 7005:afsserver:7005 -L 7006:afsserver:7006 -L 700=
7:afsserver:7007</div><div><br></div><div><a href=3D"http://myhome.com">myh=
ome.com</a> is an intermediate host that exposes an SSH server, and can loc=
ally access afsserver.local. The ports are forwarded to my laptop's localho=
st. I then manipulate /etc/hosts to name 127.0.0.1 as afsserver, and I also=
 update CellServDB.</div><div><br></div><div>After this, I try to run&nbsp;=
<span style=3D"color:rgb(0,0,0);font-family:monospace">kinit myuser &amp;&a=
mp; aklog -d</span></div><br><div><font face=3D"monospace">The kinit comman=
d succeeds, but aklog -d fails, curiously with exit status 0.</font></div><=
div><br></div>&nbsp; &nbsp;&nbsp;<br>&nbsp; &nbsp; $ aklog -d<br>&nbsp; &nb=
sp; Authenticating to cell <a href=3D"http://afs.example.com">afs.example.c=
om</a> (server <a href=3D"http://afs.example.com">afs.example.com</a>).<br>=
&nbsp; &nbsp; Trying to authenticate to user's realm <a href=3D"http://AFS.=
EXAMPLE.COM">AFS.EXAMPLE.COM</a>.<br>&nbsp; &nbsp; Getting tickets: afs/<a =
href=3D"mailto:afs.example.com@AFS.EXAMPLE.COM">afs.example.com@AFS.EXAMPLE=
.COM</a><br>&nbsp; &nbsp; Using Kerberos V5 ticket natively<br>&nbsp; &nbsp=
; About to resolve name admin to id in cell <a href=3D"http://afs.example.c=
om">afs.example.com</a>.<br>&nbsp; &nbsp; Error -1<br>&nbsp; &nbsp; Setting=
 tokens. admin @ <a href=3D"http://afs.example.com">afs.example.com</a><br>=
<div>&nbsp; &nbsp; =E2=96=88[laptop][Downloads][0]$</div><div><br></div><di=
v>I'm also unable to read any AFS files:</div><div><br></div><div>&nbsp; &n=
bsp; cat /afs/<a href=3D"http://afs.example.com/public/hola">afs.example.co=
m/public/hola</a></div><div>&nbsp; &nbsp; cat: /afs/<a href=3D"http://afs.e=
xample.com/public/hola">afs.example.com/public/hola</a>: Connection timed o=
ut</div><div><br></div><div>How should human users of AFS interpret this "E=
rror -1", and what can I do about it?&nbsp;</div><div><br></div><div>I woul=
d also welcome suggestions as to how to alternative ways to achieve my orig=
inal goal, though I wouldn't feel inclined to open up all the AFS ports dir=
ectly to the public.</div><div><br></div><div>Thanks,</div><div><br></div><=
div>Ernesto</div></div></blockquote><div><br></div><div><span><pre>-- <br><=
/pre><pre>| Andreas Haupt            | E-Mail: andreas.haupt@desy.de
| DESY, Zeuthen            | WWW:    http://www.zeuthen.desy.de/~ahaupt
| Platanenallee 6          | Phone: +49/33762/7-7359
| D-15738 Zeuthen          |






</pre></span></div></body></html>

--=-aFBwIKX3uYurCH09RkL9--

--=-ShcfpOqHrHj6LOJPdBze
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgIFADCABgkqhkiG9w0BBwEAAKCCDjQw
ggbmMIIEzqADAgECAhAxAnDUNb6bJJr4VtDh4oVJMA0GCSqGSIb3DQEBDAUAMIGIMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5IENpdHkxHjAcBgNVBAoT
FVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0yMDAyMTgwMDAwMDBaFw0zMzA1MDEyMzU5NTlaMEYxCzAJBgNVBAYT
Ak5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBD
QSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs0riIl4nW+kEWxQENTIgFK600jFA
xs1QwB6hRMqvnkphfy2Q3mKbM2otpELKlgE8/3AQPYBo7p7yeORuPMnAuA+oMGRb2wbeSaLcZbpw
XgfCvnKxmq97/kQkOFX706F9O7/h0yehHhDjUdyMyT0zMs4AMBDRrAFn/b2vR3j0BSYgoQs16oSq
adM3p+d0vvH/YrRMtOhkvGpLuzL8m+LTAQWvQJ92NwCyKiHspoP4mLPJvVpEpDMnpDbRUQdftSpZ
zVKTNORvPrGPRLnJ0EEVCHR82LL6oz915WkrgeCY9ImuulBn4uVsd9ZpubCgM/EXvVBlViKqusCh
SsZEn7juIsGIiDyaIhhLsd3amm8BS3bgK6AxdSMROND6hiHT182Lmf8C+gRHxQG9McvG35uUvRu8
v7bPZiJRaT7ZC2f50P4lTlnbLvWpXv5yv7hheO8bMXltiyLweLB+VNvg+GnfL6TW3Aq1yF1yrZAZ
zR4MbpjTWdEdSLKvz8+0wCwscQ81nbDOwDt9vyZ+0eJXbRkWZiqScnwAg5/B1NUD4TrYlrI4n6zF
p2pyYUOiuzP+as/AZnz63GvjFK69WODR2W/TK4D7VikEMhg18vhuRf4hxnWZOy0vhfDR/g3aJbds
Gac+diahjEwzyB+UKJOCyzvecG8bZ/u/U8PsEMZg07iIPi8CAwEAAaOCAYswggGHMB8GA1UdIwQY
MBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRpAKHHIVj44MUbILAK3adRvxPZ5DAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
KwYBBQUHAwQwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGln
by5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VS
VHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYB
BQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNy
dDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOC
AgEACgVOew2PHxM5AP1v7GLGw+3tF6rjAcx43D9Hl110Q+BABABglkrPkES/VyMZsfuds8fcDGvG
E3o5UfjSno4sij0xdKut8zMazv8/4VMKPCA3EUS0tDUoL01ugDdqwlyXuYizeXyH2ICAQfXMtS+r
az7mf741CZvO50OxMUMxqljeRfVPDJQJNHOYi2pxuxgjKDYx4hdZ9G2o+oLlHhu5+anMDkE8g0tf
fjRKn8I1D1BmrDdWR/IdbBOj6870abYvqys1qYlPotv5N5dm+XxQ8vlrvY7+kfQaAYeO3rP1DM8B
GdpEqyFVa+I0rpJPhaZkeWW7cImDQFerHW9bKzBrCC815a3WrEhNpxh72ZJZNs1HYJ+29NTB6uu4
NJjaMxpk+g2puNSm4b9uVjBbPO9V6sFSG+IBqE9ckX/1XjzJtY8Grqoo4SiRb6zcHhp3mxj3oqWi
8SKNohAOKnUc7RIP6ss1hqIFyv0xXZor4N9tnzD0Fo0JDIURjDPEgo5WTdti/MdGTmKFQNqxyZuT
9uSI2Xvhz8p+4pCYkiZqpahZlHqMFxdw9XRZQgrP+cgtOkWEaiNkRBbvtvLdp7MCL2OsQhQEdEbU
vDM9slzZXdI7NjJokVBq3O4pls3VD2z3L/bHVBe0rBERjyM2C/HSIh84rfmAqBgklzIOqXhd+4Rz
adUwggdGMIIFLqADAgECAhEAra/kSKV1AoCk06wfRY3CLTANBgkqhkiG9w0BAQwFADBGMQswCQYD
VQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2luZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29u
YWwgQ0EgNDAeFw0yNDExMTMwMDAwMDBaFw0yNjExMTMyMzU5NTlaMIG/MQswCQYDVQQGEwJERTEQ
MA4GA1UECBMHSGFtYnVyZzEuMCwGA1UEChMlRGV1dHNjaGVzIEVsZWt0cm9uZW4tU3luY2hyb3Ry
b24gREVTWTEOMAwGA1UEYRMFR09WREUxJDAiBgkqhkiG9w0BCQEWFWFuZHJlYXMuaGF1cHRAZGVz
eS5kZTEOMAwGA1UEBBMFSGF1cHQxEDAOBgNVBCoTB0FuZHJlYXMxFjAUBgNVBAMTDUFuZHJlYXMg
SGF1cHQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCpO6QZmT8g4US0YUiFzCUuHKB7
6GFcxtRzjViRUVB9kFyliIVlJ6Orfb6ttgXFeJ3xw4hGhTZUJLkV9rcWb/bKuOEER1rTGUDWU9K/
rRBNH6QbsZSlLKJPODwQfbHEqiZVgzuLGBgt6D1iEnbu36BY5y21K7O1KcH3DBLj6KWBf+SjEbVH
io4hMvhv42BC2bE3HTLafI4MrKXF4rWw0z8i9Xu2iRNAsjELLU2GGAXJYAnOHjQQ9iRbal1bi8MH
/ISjyO3rffhWfWi1hgikrkIi6GHM2jvNPEIS/Xwp1fOX0Y99toPFrM4SF70cMI9TNzuKl5aNkGAB
7AlmViy/behaSWcdFD71Nxocl9ETw8JYNjM9Es3ugdZbfrIzy2m8bIN3iK9uff6LHkOSUYQfDvgu
HQOXZigEe/XMtQKdicLK4KlFvAl+rUV6zPdyOjjbJDyXCWPZifjCbvkd5R3XP4YOUNTN9C2jgXcL
nbqX7ozP4qD4jNRiAbE0JN2R4w7likLuSQiZ8G7Jb5yBt0pBF77YO961ra0C0B34tCKzwhEuMUbK
VesxFZInvMyVImyuplIbFBH5rPk77oclQOnDS2C0sx8JseNVGKCP56gTTQOLapkS/MH0OdV1gFPf
d9ws5bf1e6bKIlVuJl9HF/oT/0B9VzPRqOo/2jlSZzO9RViTuQIDAQABo4IBszCCAa8wHwYDVR0j
BBgwFoAUaQChxyFY+ODFGyCwCt2nUb8T2eQwHQYDVR0OBBYEFKdKweAk+c0OGX1eL8A0Qjl+X4UL
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF
BQcDAjBQBgNVHSAESTBHMDoGDCsGAQQBsjEBAgEKBDAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Nl
Y3RpZ28uY29tL1NNSU1FQ1BTMAkGB2eBDAEFAwIwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL0dF
QU5ULmNybC5zZWN0aWdvLmNvbS9HRUFOVFBlcnNvbmFsQ0E0LmNybDB4BggrBgEFBQcBAQRsMGow
PQYIKwYBBQUHMAKGMWh0dHA6Ly9HRUFOVC5jcnQuc2VjdGlnby5jb20vR0VBTlRQZXJzb25hbENB
NC5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9HRUFOVC5vY3NwLnNlY3RpZ28uY29tMCAGA1UdEQQZ
MBeBFWFuZHJlYXMuaGF1cHRAZGVzeS5kZTANBgkqhkiG9w0BAQwFAAOCAgEAW0hfwzYY/GSzTFAx
vOVO0ay0OwCCffxcM+J63Dhhgt8GaU53kt1Qk0mUaajayQiOKG99D7XRqKCqh5CTM4M9v9iF5k4/
kZwA0Yn38NiJq7BZqCAULfrszyVb/eQgf+nEfHPJMtBecezvN1I+xzV4/uBcDwBro9Twx/4ZycUq
jqYvCGVKWlVFgPSxfzIKfIfSCGeTXRFvsEFgK1cuuRF4kSK9Yre18+JkH927a9hXFbkBoC4sAhi9
P6NlCzVxdf2lRzBxg2/ZiYllJZxsMP+fOR7AP8DShPwFSMyWthnluuEvkGXN/I3BFgLN5y3NuSq/
WUzSghwowZLaKR+BZ0bpHufSFr/7FGpkIzC4XOWFknnWQ9UIMas1dRx1DgPTiIJoojYlG6B+PG4e
ehtc5l9x+siQ5SE8XaJZZXN5xO6wk7I+YBNxN3ogtx8yCDg5V4ggwc55x47Q+PSqMsTEqI7P7UjN
QVOo5XuZHdzOOOOcfviuChiY+cPb1azcaMMmvhK+/AI764twX0pkwp5nvcYrs2BW9wwdQrnSLfSJ
EcEc1hbQMJcdB/m6YFr0K9rC/V8VnQMTVew0pCtAPpr32ki1YP4Fv4CRErpu23GDJbS7nAeCpdeR
Wf+pD94z4WbNR0pl+zvJ1q0eXz5z6rTa2k8ht/dpTisoT+AV6+KijMU05kMxggMBMIIC/QIBATBb
MEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQDExNHRUFO
VCBQZXJzb25hbCBDQSA0AhEAra/kSKV1AoCk06wfRY3CLTANBglghkgBZQMEAgIFAKB5MBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI1MDcwMjA3MjkyMVowPwYJKoZI
hvcNAQkEMTIEMNOf7GOKjNOyUUKSwBwkt60sk5K07WxfDsafkrcnWcVcbVK8MyTGVym4cPh9cIXk
cDANBgkqhkiG9w0BAQEFAASCAgBwwRi9HhGU0yXLOu2Eq4S/aPdFu8xJI5BNB52qzMCbiykZbf0Q
b7Vcm9KfKvq75QVkmyIKCi0S2PdbMoqEBBFRffDKIS/TaAWEsxmHptkNpH9UmOUpAZvVdRpdKDnT
IO6hpwLa+Yflm0tZPGruJrSiV9AYtzF+0v1U4qabpNF4G3z2btIh9E+Vvp7uhhGnAgk+9k70qzFU
z3Bin/Q763x1lrGkwnpMpaHdvaw1RIbiz05BHsZNRDDFVYupisbwNQTbhqaEKWcCpXxsL9yi2Zic
YQeR+Cvc7BwhTGxJgsXIYjFJmc0AVCM6SFTfiUuODS85F0XT5jgUowBnU5DmTQ+jqZSGe0pcrdQD
5QwDLEdBEYQn3URlatIJ69sMTD47U2MmU67dQGFRehah7D7ggkgtj4XtEigTbUzF7AdunhYVFGHy
vidRWDe8OLHWCpuFeLWV+6qBEV2LJRl+YHKOxAZaDdGOGY8p9Pj0pQBy5B35VQJMWovTmM0XD4Yo
1TZj8KK0Le7VdORAj5mSCkgQDsmGtc2NaN7spKkclFHdQDMVJlU+EGYRS0X9Fcz0/dovVnRy1/aY
/xj2RBPYArxFbtM238URPmmee82GVcC0QUHuVles0uyyFIC9GiUZARY/wHz3cZsWZj3fWh7uXPkp
LCX4wZ3yECauNgohC+wTB/gRjgAAAAAAAA==


--=-ShcfpOqHrHj6LOJPdBze--