[OpenAFS-devel] New OpenSSH
Douglas E. Engert
deengert@anl.gov
Wed, 25 Feb 2004 10:46:04 -0600
sxw@inf.ed.ac.uk wrote:
>
> On Wed, 25 Feb 2004, Andrei Maslennikov wrote:
>
> > 3) Connecting from a session wit k5 creds:
> > ---------------------------------------
> > GSSAPI authentication works and K5 credentials are being
> > forwarded correctly. However, while I am admitted to the host
> > with gssapi-with-mic, I am not getting token/pagsh anymore
> > (like in case of K5-password login).
>
> Yes. The code paths here are completely different, and the AFS code in
> OpenSSH is only invoked if a credentials cache is obtained directly
> through Kerberos (rather than through GSSAPI).
It looks like it works for me. I have a mod in session.c to call the get_afs_token
routine which replaces the k_afs calls. I see in the debug output that
it is indeed calling my routine and passing the delegated credentials to it
via the KRB5CCNAME environment.
So this may be a problem with the way the k_afs works which may expect
the credentials in memory?
Here is a piece of the log on the client side.
debug1: Setting KRB5CCNAME to FILE:/tmp/krb5cc_134_x26699 ## From gss-serv.c:
Environment: ## From sesison.c copy_environment
KRB5CCNAME=FILE:/tmp/krb5cc_134_x26699
[... left out a few lines...]
debug3: channel 0: close_fds r -1 w -1 e -1
debug3: channel 1: close_fds r 18 w 18 e -1
debug1: Getting AFS PAG and token ## From my call to get_afs_token in session.c
Checking directory /afs ## Form my ak5log which was forked/execd in get_afs_token.
Checking directory /afs/anl.gov ## and used the KRB5CCNAME to find the credentials.
Authenticating to cell anl.gov.
Getting tickets: afsx/anl.gov@KRB5.ANL.GOV
>
> Cheers,
>
> Simon.
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444