[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos

Andrei Maslennikov andrei@caspur.it
Mon, 26 Jan 2004 20:49:28 +0100 (MET)


Hi Douglas, and thanks for your comment.


On Mon, 26 Jan 2004, Douglas E. Engert wrote:

> 
> 1) ssh to host A, login with K5 password (and obtain a PAG-based token)
> 
> Was the ticket marked forwardable?  Can you set with Hiemdal in the
> krb5.conf file a default that tickets should be forwardable? 
> What does klist -f show on host A?

  Yes, tickets are set to be forwardable in the [libdefaults] section:

<ing@alfa ~>klist -f
Credentials cache: FILE:/tmp/krb5cc_k20844
        Principal: ing@ING.UNIROMA1.IT

  Issued           Expires        Flags    Principal                              
Jan 26 20:34:02  Jan 27 03:14:02  FI     
krbtgt/ING.UNIROMA1.IT@ING.UNIROMA1.IT   
Jan 26 20:34:02  Jan 27 03:14:02         afs@ING.UNIROMA1.IT                      
Jan 26 20:34:31  Jan 27 03:14:02         
host/alfa.ing.uniroma1.it@ING.UNIROMA1.IT

   V4-ticket file: /tmp/tkt401
klist: No ticket file (tf_util)
  
> 
> 
> 2) from host A, ssh to host B, login w/o pw (this time with GSSAPI)
> 
> GSSAPI should have delegated a K5 credential, and set the KRB5CCNAME
> on host B. 

  This does not occur, however GSSAPI lets me in (without creds):
......
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: 
publickey,gssapi,password,keyboard-interactive
debug1: Next authentication method: gssapi       
debug1: Authentication succeeded (gssapi).  <<<<<<<<<<<<<<<<<<
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
Could not chdir to home directory /afs/ing/system/hq/ing: Permission 
denied

> 
> >   3) inside host B: no K5 creds forwarded from host A, no token.
> 
> We can do the above

  ..That's what the "sshd -d" tells me:

.....
debug1: userauth-request for user ing service ssh-connection method gssapi
debug1: attempt 1 failures 1
Postponed gssapi for ing from 151.100.85.253 port 44184 ssh2
debug1: Got no client credentials
Authorized to ing, krb5 principal ing@ING.UNIROMA1.IT (krb5_kuserok)
Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2  <<<<<<<<<<<
Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2
.....
.....
debug1: session_input_channel_req: session 0 req shell
debug1: temporarily_use_uid: 401/401 (e=401/401)
debug1: No credentials stored   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
debug1: restore_uid: (unprivileged)
...

  Inside the host B: no credentials at all:

[ing@alfa /]$ /usr/heimdal/bin/klist
klist: No ticket file: /tmp/krb5cc_401

   V4-ticket file: /tmp/tkt401
klist: No ticket file (tf_util)

  THERE SHOULD BE SOMETHING ELSE....