[OpenAFS-devel] OpenSSH support for krb4/afs

Henry B. Hotz hotz@jpl.nasa.gov
Tue, 30 Sep 2003 11:03:17 -0700 

At 12:01 PM -0400 9/30/03, openafs-devel-request@openafs.org wrote:
>Message: 5
>Date: Tue, 30 Sep 2003 14:30:02 +0200 (CEST)
>From: =?iso-8859-2?Q?Martin_MOKREJ=A9?= <mmokrejs@natur.cuni.cz>
>To: Jeffrey Hutzelman <jhutz@cmu.edu>
>Cc: Harald Barth <haba@pdc.kth.se>, krb4@sics.se,
>	openafs-devel@openafs.org, heimdal-discuss@sics.se
>Subject: Re: [OpenAFS-devel] OpenSSH support for krb4/afs
>
>On Thu, 4 Sep 2003, Jeffrey Hutzelman wrote:
>
>>  On Thursday, September 04, 2003 16:59:56 +0200 Harald Barth
>>  <haba@pdc.kth.se> wrote:
>>
>>  >
>>  >>   is there anyone who would help the OpenSSH guys to include
>>  >> back the krb4 support? As they did not know how to fix problems,
>>  >> they rather removed the support as a whole. :((
>>  >
>>  > I think krb5 and AFS (with 2b) gives me everything I would need. Any
>>  > reason to keep v4?
>>  >
>>  > What is the status of v5 ticket forwarding in ssh today?
>>
>>  There is a standards-track extension to the SSHv2 protocol which adds
>>  GSSAPI-based user authentication, including credential delegation for those
>>  mechanisms which support it (such as GSS-KRB5).  It has been implemented in
>>  a variety of SSH clients and servers; there are patches available for
>>  OpenSSH 3.x, and I believe the new method will be included in the upcoming
>>  OpenSSH 3.7 release.
>
>Hi,
>   I'd like to note that even 3.7.1p1 does not suppport krb5(the GSSAPI is
>undef in config.h regardless what configure options you use). Darren Tucker
><dtucker@zip.com.au> wrote me that he'd love to accept patches for that. It
>mighhappen that if someone helps, they would release 3.6.1p3 which contains
>the old krb4 code with security fixes backported. For the 3.7 branch,
>someone from you has to convince Theo de Raadt to put the krb4 back ... :)
>I just don't get why ssh support .rhosts and why in comparison krb4 is
>considered insecure.

I've successfully tested GSSAPI with 3.7.1p1 on Solaris 8 with MIT 
Kerberos 1.3.1 installed.  The configure option for GSSAPI re-uses 
the old krb5 configure option, but the ssh[d]_config files use new 
directives to enable the capability.  You also need a "host" 
principal in your keytab file or sshd will disable the capability.

The test was only from the machine to itself since I haven't been 
able to make it build with Heimdal on the other machine yet.  From 
what the author told me there are probably lots of compatibility 
issues with the built-in GSSAPI as well.

sshd didn't create a new session to distinguish the ccache of the 
loopback session from the original. (Think "PAG's not implemented".)

In other words it exists;  it works;  but it needs some more work.

If you have a Kerberos 5 cell and aren't using Heimdal then you can 
use afslog (from KTH/Heimdal) or aklog to get an afs token from the 
forwarded tgt.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu