[OpenAFS-devel] OPenAFS and OpenSSH-3.8

Douglas E. Engert deengert@anl.gov
Sun, 29 Feb 2004 20:26:17 -0600 

Derrick J Brashear wrote:
> 
> On Sun, 29 Feb 2004, Douglas E. Engert wrote:
> 
> > Not really. I was trying to convince the OpenSSH people to in effect
> > add a hook to the code, so the sshd could be run on a system with
> > or without OpenAFS, by using a dynamically loaded lib. If it was
> > not present, the sshd would continue.
> >
> > So far the OpenSSH people have not been convinced.
> >
> > If it was a shared lib, I believe it would mean sshd would fail
> > if the lib was not present.
> 
> why, you can dlopen a shlib and dlsym the symbols you want

The OpenSSH people don't want to add the dlopen, dlsym to OpenSSH.  
so it it a mute point See thier response.  

> 
> Markus Friedl wrote:
> >
> > On Fri, Feb 27, 2004 at 05:23:38PM -0600, Douglas E. Engert wrote:
> > >  Would OpenSSH be willing to add such a mod?
> >
> > i don't see why sshd should play a dynamic linking game.
> >
> > either the library has the symbol at compiletime
> > or not.
> 
> If a vendor, like Red Hat, Apple, Sun, HP, IBM or OpenBSD builds
> OpenSSH for distribution, they can do it without having OpenAFS
> available at compile time.
> 
> Yet when the end user uses OpenSSH on a system with OpenAFS
> they will work together because the hook in OpenSSH will already be
> in place by default.
> 
> The use of the dynamic library gets the setpag code  to run from
> the correct process. It might also be useable with PAGs for NFSv4.
> 
> Two other approaches are:
> 
>   (1) Make the get_afs_token routine part of OpenSSH and compiled in.
>       But this then has some dependencies on how the setpag is done
>       and vendors may not compile in this option, especially if any
>       OpenAFS libs are required at compile time.
> 
>   (2) PAM could be called when GSSAPI is used for authentication.
>       A PAM session routine could do the setpag, as long as the PAM
>       routine is run from the correct process.
> 
>       This opens up some other possibilities of moving some or all
>       of the Heimdal vs MIT kerberos dependencies to PAM routines
>       as well.
> 
> 
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


> 
> > > Does libafsrpc.so/libafsauthent.so not have what you need?
> >
> > I don't think so. I was looking for two functions for the
> > hook.  Set the PAG, from the process loading and calling the hook,
> > and get a token. The token could be obtained using something like
> > aklog, or afslog, or even gssklog. (Note that the gssklog could
> > use any GSSAPI, including non Kerberos based gssapi, like the
> > Globus GSI.)
> 
> well, so, you want libkafs/libkrbafs, and strictly speaking them don't
> need to come from openafs.
> 
> ken hornstein is supposed to be integrating aklog into the openafs source
> base, so after he does maybe we can also include libk{,rb}afs.

That might help. But it does not help with the gssapi delegated credentials,
as the  kafs is expecting s->authctxt->krb5_ctx to be the Kerberos 
context. Its not in the gssapi case. 

But both the GSSAPI delegated creds or the credentials obtained via user/password
have been written to the cache, and the ENV KRB5CCNAME has been set. 
Thats what running aklog or afslog works.





-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444