[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos

Douglas E. Engert deengert@anl.gov
Mon, 26 Jan 2004 14:39:29 -0600


Does your ssh_config file have:
GSSAPIDelegateCredentials yes
 
or you need to specify on the command line. -o  


Andrei Maslennikov wrote:
> 
> Hi Douglas, and thanks for your comment.
> 
> On Mon, 26 Jan 2004, Douglas E. Engert wrote:
> 
> >
> > 1) ssh to host A, login with K5 password (and obtain a PAG-based token)
> >
> > Was the ticket marked forwardable?  Can you set with Hiemdal in the
> > krb5.conf file a default that tickets should be forwardable?
> > What does klist -f show on host A?
> 
>   Yes, tickets are set to be forwardable in the [libdefaults] section:
> 
> <ing@alfa ~>klist -f
> Credentials cache: FILE:/tmp/krb5cc_k20844
>         Principal: ing@ING.UNIROMA1.IT
> 
>   Issued           Expires        Flags    Principal
> Jan 26 20:34:02  Jan 27 03:14:02  FI
> krbtgt/ING.UNIROMA1.IT@ING.UNIROMA1.IT
> Jan 26 20:34:02  Jan 27 03:14:02         afs@ING.UNIROMA1.IT
> Jan 26 20:34:31  Jan 27 03:14:02
> host/alfa.ing.uniroma1.it@ING.UNIROMA1.IT
> 
>    V4-ticket file: /tmp/tkt401
> klist: No ticket file (tf_util)
> 
> >
> >
> > 2) from host A, ssh to host B, login w/o pw (this time with GSSAPI)
> >
> > GSSAPI should have delegated a K5 credential, and set the KRB5CCNAME
> > on host B.
> 
>   This does not occur, however GSSAPI lets me in (without creds):
> ......
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi,password,keyboard-interactive
> debug1: Next authentication method: gssapi
> debug1: Authentication succeeded (gssapi).  <<<<<<<<<<<<<<<<<<
> debug1: channel 0: new [client-session]
> debug1: Entering interactive session.
> debug1: Requesting X11 forwarding with authentication spoofing.
> debug1: Requesting authentication agent forwarding.
> Could not chdir to home directory /afs/ing/system/hq/ing: Permission
> denied
> 
> >
> > >   3) inside host B: no K5 creds forwarded from host A, no token.
> >
> > We can do the above
> 
>   ..That's what the "sshd -d" tells me:
> 
> .....
> debug1: userauth-request for user ing service ssh-connection method gssapi
> debug1: attempt 1 failures 1
> Postponed gssapi for ing from 151.100.85.253 port 44184 ssh2
> debug1: Got no client credentials
> Authorized to ing, krb5 principal ing@ING.UNIROMA1.IT (krb5_kuserok)
> Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2  <<<<<<<<<<<
> Accepted gssapi for ing from 151.100.85.253 port 44184 ssh2
> .....
> .....
> debug1: session_input_channel_req: session 0 req shell
> debug1: temporarily_use_uid: 401/401 (e=401/401)
> debug1: No credentials stored   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> debug1: restore_uid: (unprivileged)
> ...
> 
>   Inside the host B: no credentials at all:
> 
> [ing@alfa /]$ /usr/heimdal/bin/klist
> klist: No ticket file: /tmp/krb5cc_401
> 
>    V4-ticket file: /tmp/tkt401
> klist: No ticket file (tf_util)
> 
>   THERE SHOULD BE SOMETHING ELSE....

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444