[OpenAFS-devel] OPenAFS and OpenSSH-3.8
Derek Atkins
derek@ihtfp.com
Tue, 02 Mar 2004 17:07:23 -0500
"Douglas E. Engert" <deengert@anl.gov> writes:
>> > That might help. But it does not help with the gssapi delegated credentials,
>> > as the kafs is expecting s->authctxt->krb5_ctx to be the Kerberos
>> > context. Its not in the gssapi case.
>>
>> Why doesn't it help?
>
> Because when the GSSAPI is used, the delegated credential is not
> in s->authctxt->krb5_ctx SO the current kafs does not work with a
> delegated credential. But in all cases the credentials are in the cache,
> so a program like aklog called at this point can use the KRB5CCNAME.
Then fix kafs so it uses the KRB5CCNAME instead of s->authctxt->krb5_ctx...
Or fix the GSSAPI code so it stores the delegated credentials in that
location as well.
This isn't rocket science. ;)
I suspect the latter change would require maybe 5 lines of code at
most to implement.
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant