[OpenAFS-devel] OPenAFS and OpenSSH-3.8

Douglas E. Engert deengert@anl.gov
Thu, 26 Feb 2004 17:37:02 -0600


I Would like to submit a mod like this to OpenSSH. But would
like comments from OpenAFS as it only make sense if OpenAFS
is willing to support it.   

It has been reported that the kafs code does not work with 
delegated gssapi credentials in OpenSSH-3.8. I have not had
this problem as I used a different method which this mod is 
based on. This proposed change would replace the calls to kafs.  

OpenAFS could then distribute the dynamic library, that would
get a PAG and fork/exec some program like aklog, or afslog to
actually get the token.  

The aklog or afslog could be distributed by OpenAFS or some
Kerberos vendor. 

The nice features of this are that it can be compiled in 
even if OpenAFS is not available. At runtime if the
dynamic library is present, it can be loaded and called.
A dynamic lib is used so the setpag is in the same process. 

The routine loaded is the get_afs_token routine that I proposed
last week but without the -setpag "kernel hack". It would have
setpag code added to it instead and this runs in the current
process avoiding the need to set the PAG in the parent process.   

The following compiles but I have not tested it. I am looking
for comments.

 Would OpenAFS be willing to distribute the dynamic library?

 Would the Kerberos developers be willing to provide the 
 aklog or afslog that accepted -p <path> and an environment
 with the KRB5CCNAME in it?   

 If so would OpenSSH be willing to add such a mod?

--- ,session.c	Mon Feb 23 07:01:27 2004
+++ session.c	Thu Feb 26 14:10:39 2004
@@ -58,9 +58,13 @@
 #include "session.h"
 #include "monitor_wrap.h"
 
+#ifdef ANL_AFS_PAG
+#include <dlfcn.h>
+#else
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
+#endif
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -1453,6 +1457,28 @@
 	 */
 	environ = env;
 
+
+#ifdef ANL_AFS_PAG
+	/* Get PAG and AFS token using external program and KRB5CCNAME */
+	if (options.kerberos_get_afs_token) {
+		void * handle;
+		int (*get_afs_token)(char * pgm, char ** env, 
+				char *homedir, int setpag);
+
+		debug("Getting AFS PAG and token");
+		handle = dlopen("/usr/lib/afs_get_token.so",0); /* needs a better location */
+		
+		if (handle) {
+			get_afs_token = dlsym(handle, "get_afs_token");
+			if (get_afs_token) { 
+				debug("calling get_afs_token");
+				(*get_afs_token)(NULL, env, pw->pw_dir, 1);
+			}
+			dlclose(handle);
+		}
+	}
+#else
+
 #if defined(KRB5) && defined(USE_AFS)
 	/*
 	 * At this point, we check to see if AFS is active and if we have
@@ -1477,6 +1503,7 @@
 		krb5_afslog_home(s->authctxt->krb5_ctx,
 		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
 	}
+#endif
 #endif
 
 	/* Change current directory to the user\'s home directory. */