[OpenAFS-devel] New OpenSSH
Douglas E. Engert
deengert@anl.gov
Wed, 25 Feb 2004 07:58:39 -0600
Andrei Maslennikov wrote:
>
> On Tue, 24 Feb 2004, Jim Rees wrote:
>
> > I see that OpenSSH 3.8 was released today, with "New KerberosGetAFSToken
> > option for sshd(8)." This sounds like good news.
>
> I tried it on Linux. First notes follow:
>
> 1) gssapi was replaced with gssapi-with-mic, and this means that
> ssh_config now should contain:
>
> "GSSAPIAuthentication yes"
> "GSSAPIDelegateCredentials yes".
>
> (to allow gssapi/mic authentication with delegation of credentials).
>
> 2) Connecting from a session without k5 creds:
> -------------------------------------------
> The new option "KerberosGetAFSToken yes" works correctly. It allows
> to obtain a token in a new pagsh with K5-passwd login. I have noted,
> however, an annoying delay between the act of successful authentication
> and the moment when the tokenized session is finally established.
>
> In particular, client says:
>
> "debug1: Authentication succeeded"
>
> then server says:
>
> "debug1: server_input_channel_open: confirm session"
>
> and then server sleeps several *very* visible seconds prior to
> continue correctly.
Do you have some PAM routine yo get the AFS token?
>
> With 3.7.1p2 and k5env/afslog everything works much faster.
>
>
> 3) Connecting from a session wit k5 creds:
> ---------------------------------------
> GSSAPI authentication works and K5 credentials are being
> forwarded correctly. However, while I am admitted to the host
> with gssapi-with-mic, I am not getting token/pagsh anymore
> (like in case of K5-password login).
>
> I might have missed something. But the first impression is that
> 3.8p1 is i) a good step forward, but ii) still has to be worked on.
Did you set "KerberosGetAFSToken yes" in the sshd_config?
Do you have kafs, or a PAM exit or the get_afs_token, (I have a newer version
whihc does the setpag in the current process)
>
> Andrei.
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444