[OpenAFS-devel] New OpenSSH

Andrei Maslennikov andrei@caspur.it
Wed, 25 Feb 2004 00:28:32 +0100 (MET)


On Tue, 24 Feb 2004, Jim Rees wrote:

> I see that OpenSSH 3.8 was released today, with "New KerberosGetAFSToken
> option for sshd(8)."  This sounds like good news.


I tried it on Linux. First notes follow:

1) gssapi was replaced with gssapi-with-mic, and this means that 
   ssh_config now should contain:

   "GSSAPIAuthentication yes"
   "GSSAPIDelegateCredentials yes".

   (to allow gssapi/mic authentication with delegation of credentials).

2) Connecting from a session without k5 creds:
   ------------------------------------------- 
   The new option "KerberosGetAFSToken yes" works correctly. It allows 
   to obtain a token in a new pagsh with K5-passwd login. I have noted, 
   however, an annoying delay between the act of successful authentication 
   and the moment when the tokenized session is finally established.    

   In particular, client says:

         "debug1: Authentication succeeded"

   then server says: 

         "debug1: server_input_channel_open: confirm session"

   and then server sleeps several *very* visible seconds prior to 
   continue correctly.  
   
   With 3.7.1p2 and k5env/afslog everything works much faster.
 

3) Connecting from a session wit k5 creds:
   ---------------------------------------
   GSSAPI authentication works and K5 credentials are being 
   forwarded correctly. However, while I am admitted to the host
   with gssapi-with-mic, I am not getting token/pagsh anymore
   (like in case of K5-password login).


I might have missed something. But the first impression is that
3.8p1 is i) a good step forward, but ii) still has to be worked on.   

Andrei.