[OpenAFS-devel] New OpenSSH

Douglas E. Engert deengert@anl.gov
Wed, 25 Feb 2004 07:58:39 -0600


Andrei Maslennikov wrote:
> 
> On Tue, 24 Feb 2004, Jim Rees wrote:
> 
> > I see that OpenSSH 3.8 was released today, with "New KerberosGetAFSToken
> > option for sshd(8)."  This sounds like good news.
> 
> I tried it on Linux. First notes follow:
> 
> 1) gssapi was replaced with gssapi-with-mic, and this means that
>    ssh_config now should contain:
> 
>    "GSSAPIAuthentication yes"
>    "GSSAPIDelegateCredentials yes".
> 
>    (to allow gssapi/mic authentication with delegation of credentials).
> 
> 2) Connecting from a session without k5 creds:
>    -------------------------------------------
>    The new option "KerberosGetAFSToken yes" works correctly. It allows
>    to obtain a token in a new pagsh with K5-passwd login. I have noted,
>    however, an annoying delay between the act of successful authentication
>    and the moment when the tokenized session is finally established.
> 
>    In particular, client says:
> 
>          "debug1: Authentication succeeded"
> 
>    then server says:
> 
>          "debug1: server_input_channel_open: confirm session"
> 
>    and then server sleeps several *very* visible seconds prior to
>    continue correctly.


Do you have some PAM routine yo get the AFS token? 

> 
>    With 3.7.1p2 and k5env/afslog everything works much faster.
> 
> 
> 3) Connecting from a session wit k5 creds:
>    ---------------------------------------
>    GSSAPI authentication works and K5 credentials are being
>    forwarded correctly. However, while I am admitted to the host
>    with gssapi-with-mic, I am not getting token/pagsh anymore
>    (like in case of K5-password login).
> 
> I might have missed something. But the first impression is that
> 3.8p1 is i) a good step forward, but ii) still has to be worked on.

Did you set "KerberosGetAFSToken yes" in the sshd_config?

Do you have kafs, or a PAM exit or the get_afs_token, (I have a newer version
whihc does the setpag in the current process)
> 
> Andrei.
> 
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444