[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos
Andrei Maslennikov
andrei@caspur.it
Mon, 26 Jan 2004 20:49:28 +0100 (MET)
Hi Douglas, and thanks for your comment.
On Mon, 26 Jan 2004, Douglas E. Engert wrote:
>
> 1) ssh to host A, login with K5 password (and obtain a PAG-based token)
>
> Was the ticket marked forwardable? Can you set with Hiemdal in the
> krb5.conf file a default that tickets should be forwardable?
> What does klist -f show on host A?
Yes, tickets are set to be forwardable in the [libdefaults] section:
<ing@alfa ~>klist -f
Credentials cache: FILE:/tmp/krb5cc_k20844
Principal: ing@ING.UNIROMA1.IT
Issued Expires Flags Principal
Jan 26 20:34:02 Jan 27 03:14:02 FI
krbtgt/ING.UNIROMA1.IT@ING.UNIROMA1.IT
Jan 26 20:34:02 Jan 27 03:14:02 afs@ING.UNIROMA1.IT
Jan 26 20:34:31 Jan 27 03:14:02
host/alfa.ing.uniroma1.it@ING.UNIROMA1.IT
V4-ticket file: /tmp/tkt401
klist: No ticket file (tf_util)
>
>
> 2) from host A, ssh to host B, login w/o pw (this time with GSSAPI)
>
> GSSAPI should have delegated a K5 credential, and set the KRB5CCNAME
> on host B.
This does not occur, however GSSAPI lets me in (without creds):
......
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi,password,keyboard-interactive
debug1: Next authentication method: gssapi
debug1: Authentication succeeded (gssapi). <<<<<<<<<<<<<<<<<<
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
Could not chdir to home directory /afs/ing/system/hq/ing: Permission
denied
>
> > 3) inside host B: no K5 creds forwarded from host A, no token.
>
> We can do the above
..That's what the "sshd -d" tells me:
.....
debug1: userauth-request for user ing service ssh-connection method gssapi
debug1: attempt 1 failures 1
Postponed gssapi for ing from 151.100.85.253 port 44184 ssh2
debug1: Got no client credentials
Authorized to ing, krb5 principal ing@ING.UNIROMA1.IT (krb5_kuserok)
Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2 <<<<<<<<<<<
Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2
.....
.....
debug1: session_input_channel_req: session 0 req shell
debug1: temporarily_use_uid: 401/401 (e=401/401)
debug1: No credentials stored <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
debug1: restore_uid: (unprivileged)
...
Inside the host B: no credentials at all:
[ing@alfa /]$ /usr/heimdal/bin/klist
klist: No ticket file: /tmp/krb5cc_401
V4-ticket file: /tmp/tkt401
klist: No ticket file (tf_util)
THERE SHOULD BE SOMETHING ELSE....