[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos
Douglas E. Engert
deengert@anl.gov
Mon, 26 Jan 2004 14:39:29 -0600
Does your ssh_config file have:
GSSAPIDelegateCredentials yes
or you need to specify on the command line. -o
Andrei Maslennikov wrote:
>
> Hi Douglas, and thanks for your comment.
>
> On Mon, 26 Jan 2004, Douglas E. Engert wrote:
>
> >
> > 1) ssh to host A, login with K5 password (and obtain a PAG-based token)
> >
> > Was the ticket marked forwardable? Can you set with Hiemdal in the
> > krb5.conf file a default that tickets should be forwardable?
> > What does klist -f show on host A?
>
> Yes, tickets are set to be forwardable in the [libdefaults] section:
>
> <ing@alfa ~>klist -f
> Credentials cache: FILE:/tmp/krb5cc_k20844
> Principal: ing@ING.UNIROMA1.IT
>
> Issued Expires Flags Principal
> Jan 26 20:34:02 Jan 27 03:14:02 FI
> krbtgt/ING.UNIROMA1.IT@ING.UNIROMA1.IT
> Jan 26 20:34:02 Jan 27 03:14:02 afs@ING.UNIROMA1.IT
> Jan 26 20:34:31 Jan 27 03:14:02
> host/alfa.ing.uniroma1.it@ING.UNIROMA1.IT
>
> V4-ticket file: /tmp/tkt401
> klist: No ticket file (tf_util)
>
> >
> >
> > 2) from host A, ssh to host B, login w/o pw (this time with GSSAPI)
> >
> > GSSAPI should have delegated a K5 credential, and set the KRB5CCNAME
> > on host B.
>
> This does not occur, however GSSAPI lets me in (without creds):
> ......
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi,password,keyboard-interactive
> debug1: Next authentication method: gssapi
> debug1: Authentication succeeded (gssapi). <<<<<<<<<<<<<<<<<<
> debug1: channel 0: new [client-session]
> debug1: Entering interactive session.
> debug1: Requesting X11 forwarding with authentication spoofing.
> debug1: Requesting authentication agent forwarding.
> Could not chdir to home directory /afs/ing/system/hq/ing: Permission
> denied
>
> >
> > > 3) inside host B: no K5 creds forwarded from host A, no token.
> >
> > We can do the above
>
> ..That's what the "sshd -d" tells me:
>
> .....
> debug1: userauth-request for user ing service ssh-connection method gssapi
> debug1: attempt 1 failures 1
> Postponed gssapi for ing from 151.100.85.253 port 44184 ssh2
> debug1: Got no client credentials
> Authorized to ing, krb5 principal ing@ING.UNIROMA1.IT (krb5_kuserok)
> Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2 <<<<<<<<<<<
> Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2
> .....
> .....
> debug1: session_input_channel_req: session 0 req shell
> debug1: temporarily_use_uid: 401/401 (e=401/401)
> debug1: No credentials stored <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> debug1: restore_uid: (unprivileged)
> ...
>
> Inside the host B: no credentials at all:
>
> [ing@alfa /]$ /usr/heimdal/bin/klist
> klist: No ticket file: /tmp/krb5cc_401
>
> V4-ticket file: /tmp/tkt401
> klist: No ticket file (tf_util)
>
> THERE SHOULD BE SOMETHING ELSE....
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444