[OpenAFS] ...automatic AFS token from Krb5 ticket in ssh/telnet?

Jason Garman jgarman@wedgie.org
Sun, 20 Jan 2002 17:44:21 -0500


Slightly unrelated question, but one that I'm struggling with:

I've got the AFS+MIT Kerberos5 combination working.  (not too difficult,
after a few times through)... but now I'm trying to integrate
single-sign-on and token passing/generation in ssh and possibly telnet
(looking to find a way to provide single-sign-on X sessions for people
logging into Windows).

The eventual setup should go something like this:

1) User logs into Windows 2k Citrix box
2) Kerberos tickets are generated from system login
3) Somehow I get these tickets into a Kerberized X server for Windows -- I
haven't even started investigating this yet -- is this even possible?
4) telnet/ssh/whatever the X server uses to log into the unix box will
receive the users' forwarded tickets and generate AFS tokens

What I have so far is the openssh-gssapi patch which kind of works, and
also Kerberos login against the MIT KDC on Windows 2k and Solaris.  SSH
Kerberos key exchange works great if you already have a Kerberos ticket
(tested with unix command line ssh client).  Fowardable tickets are
automatically forwarded to the destination.  There are a few issues tho:

1) If a user doesn't have Kerberos tickets (we'll be occassionally logging
in directly to these unix boxes over ssh with password authentication)...
the user is authenticated but the Kerberos credentials cache is empty.
Worse yet, the KRB5CCNAME environment variable is empty so when you try to
kinit it complains until you unset KRB5CCNAME.
2) When logged in either through key exchange or password, you don't get
an AFS token.  I've tried compiling with afs support and krb4 support but
then there's all sorts of conflicts in the des functions between openssl
and kerberos4.

If there's a better place to ask or if anyone has any resources I should
look at please let me know...

Also is anyone planning on releasing a new version of the Krb5 migration
kit?  I can generate some patches to fix problems that I've encountered
compiling it if there's interest.  In general I've found that most of my
time getting all of this stuff to work together smoothly is spent trying
to find out what library a particular function lives in...

Thanks!
-- 
Jason Garman / jgarman@wedgie.org