[OpenAFS-devel] OPenAFS and OpenSSH-3.8
Douglas E. Engert
deengert@anl.gov
Tue, 02 Mar 2004 16:35:29 -0600
Derek Atkins wrote:
>
> "Douglas E. Engert" <deengert@anl.gov> writes:
>
> >> > That might help. But it does not help with the gssapi delegated credentials,
> >> > as the kafs is expecting s->authctxt->krb5_ctx to be the Kerberos
> >> > context. Its not in the gssapi case.
> >>
> >> Why doesn't it help?
> >
> > Because when the GSSAPI is used, the delegated credential is not
> > in s->authctxt->krb5_ctx SO the current kafs does not work with a
> > delegated credential. But in all cases the credentials are in the cache,
> > so a program like aklog called at this point can use the KRB5CCNAME.
>
> Then fix kafs so it uses the KRB5CCNAME instead of s->authctxt->krb5_ctx...
> Or fix the GSSAPI code so it stores the delegated credentials in that
> location as well.
WHAT DO YOU THINK I HAVE BEEN DOING ALL THESE YEARS TRYING TO GET YOU GUYS
TO LISTEN!!
I have been saying pitch kafs, put in a hook, use the fact that the
KRB5CCNAME is set.
I have a nice mod called get_afs_token, which I am using with OpenSSH
and the MIT rlogind, rshd, telnetd and ftpd. I have been using this method
for years with AFS and DFS. It sets the PAG using a syscall then fork/execs
ak5log.
BUT I want to get out of maintaining patches and see these types of
changes end up in the source so they will end up in distributed products
that work together!!
>
> This isn't rocket science. ;)
Sometimes I think its harder :-)
>
> I suspect the latter change would require maybe 5 lines of code at
> most to implement.
>
> -derek
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444