[OpenAFS-devel] New OpenSSH
Andrei Maslennikov
andrei@caspur.it
Wed, 25 Feb 2004 00:28:32 +0100 (MET)
On Tue, 24 Feb 2004, Jim Rees wrote:
> I see that OpenSSH 3.8 was released today, with "New KerberosGetAFSToken
> option for sshd(8)." This sounds like good news.
I tried it on Linux. First notes follow:
1) gssapi was replaced with gssapi-with-mic, and this means that
ssh_config now should contain:
"GSSAPIAuthentication yes"
"GSSAPIDelegateCredentials yes".
(to allow gssapi/mic authentication with delegation of credentials).
2) Connecting from a session without k5 creds:
-------------------------------------------
The new option "KerberosGetAFSToken yes" works correctly. It allows
to obtain a token in a new pagsh with K5-passwd login. I have noted,
however, an annoying delay between the act of successful authentication
and the moment when the tokenized session is finally established.
In particular, client says:
"debug1: Authentication succeeded"
then server says:
"debug1: server_input_channel_open: confirm session"
and then server sleeps several *very* visible seconds prior to
continue correctly.
With 3.7.1p2 and k5env/afslog everything works much faster.
3) Connecting from a session wit k5 creds:
---------------------------------------
GSSAPI authentication works and K5 credentials are being
forwarded correctly. However, while I am admitted to the host
with gssapi-with-mic, I am not getting token/pagsh anymore
(like in case of K5-password login).
I might have missed something. But the first impression is that
3.8p1 is i) a good step forward, but ii) still has to be worked on.
Andrei.