[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos

Douglas E. Engert deengert@anl.gov
Mon, 26 Jan 2004 12:59:56 -0600


Derrick J Brashear wrote:
> 
> On Mon, 26 Jan 2004, Douglas E. Engert wrote:
> 
> > Rather then implementing kafs in MIT Kerberos, I would like to
> > suggest an alternative which has advantages to all parties.
> 
> Why would we do that instead of just supporting krb5 directly in OpenAFS?

One reason is to get OpenSSH to be built by vendors RedHat, OpenBSD,
Sun, HP, AIX ... with the hooks need to support AFS in the executables

Having it all in PAM looked promising, but the privsep and PAG interactions
are a problem.  

> 
> > In its simplest form, all that is needed is:
> >
> >   system("/usr/ssh/libexec/aklog -setpag")
> 
> Ew. See also my rants to Ken (you FORKED an AKLOG?)

Yes, ak5log or gssklog. Note the -setpag, when it works, is nice
as this sets the PAG in the parent processes so makes it even easier
to get the OpenAFS dependiencs out of the caller. 

As a simple example, when gssklog was used with Globus, we has the following
mod. I would like to see sometihng as simple added to OpenSSH.
(On SGI and AIX the -setpag did not work as expected, so the
patch got a PAG directly using syscall.) 
 
*** ,globus_gatekeeper.c        Mon Sep 24 15:53:05 2001
--- globus_gatekeeper.c Thu Aug  1 10:12:41 2002
***************
*** 1928,1933 ****
--- 1928,1981 ----
  
      if (pid == 0)
      {
+ 
+       /*
+        * if gssklog is present in the libexecdir run it for the user 
+        * this will get an AFS token. If fails, continue on 
+        * SGI and AIX have problems with the -setpag, so we
+        * must get a PAG using the system call
+        * for AIX, load the apagaix to get entry for lsetpag
+        */
+               {
+                       char * gssklog_path;
+                       char * gssklog_command;
+ #if defined(TARGET_ARCH_AIX)
+                       static int (*apagaix)() = 0;
+                       char * apagaix_path;
+ #endif
+ 
+                       gssklog_path=genfilename(libexecdir,"gssklog",NULL); 
+                       if (stat(gssklog_path, &statbuf) == 0)
+                       {
+                               if ((statbuf.st_mode & 0111))
+                               {
+                                       gssklog_command = (char *)malloc(strlen(gssklog_path)+9);
+                                       strcpy(gssklog_command,gssklog_path);
+ 
+ #if defined(TARGET_ARCH_IRIX)
+                                       syscall(1065,0,0,0,0,0,0); /* AFS PAG */
+ #elif defined(TARGET_ARCH_AIX)
+                                       if (!apagaix)
+                                       {
+                                               apagaix_path=genfilename(libexecdir,
+                                                       "apagaix",NULL);
+                                               apagaix = load(apagaix_path,0,0);
+                                               free(apagaix_path);
+                                       }
+                                       if (apagaix)
+                                       {
+                                               (*apagaix)();
+                                       }
+ #else
+                                       strcat(gssklog_command," -setpag");
+ #endif
+                                       rc = system(gssklog_command);
+                                   notice2(0,"gssklog rc=%d",rc);
+                               }
+                       }
+                       free(gssklog_path);
+                       free(gssklog_command);
+           }
                close(close_on_exec_read_fd);
  
                /* stderr is still set to logfile, user's stderr or /dev/null */

> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444