[OpenAFS] ...automatic AFS token from Krb5 ticket in ssh/telnet?

Charles Clancy security@xauth.net
Sun, 20 Jan 2002 16:52:07 -0600 (CST)


> 1) User logs into Windows 2k Citrix box
> 2) Kerberos tickets are generated from system login
> 3) Somehow I get these tickets into a Kerberized X server for Windows -- I
> haven't even started investigating this yet -- is this even possible?
> 4) telnet/ssh/whatever the X server uses to log into the unix box will
> receive the users' forwarded tickets and generate AFS tokens

Hmm... the whole Xserver thing sounds difficult.  Why have 2 layers?  Get
rid of Citrix, and give people thin clients running XDM.

Alternatively, use a passive XServer.  Use a kerberized SSH to log in,
(thus getting the appropriate TGTs and AFS Tokens), set the $DISPLAY, and
fire off an Xterm.  You can even forward the X connection through SSH,
making it secure!

> 1) If a user doesn't have Kerberos tickets (we'll be occassionally logging
> in directly to these unix boxes over ssh with password authentication)...
> the user is authenticated but the Kerberos credentials cache is empty.
> Worse yet, the KRB5CCNAME environment variable is empty so when you try to
> kinit it complains until you unset KRB5CCNAME.

My experience is with the kerberos PAM module.  In that case, it'll get a
TGT for you while processing the password authentication.

> 2) When logged in either through key exchange or password, you don't get
> an AFS token.  I've tried compiling with afs support and krb4 support but
> then there's all sorts of conflicts in the des functions between openssl
> and kerberos4.

Agk -- it has nothing to do with kerberos 4.  You need to run aklog.  You
can either put it in their startup shell script, or use something like
pam_openafs_session (required for things like scp and ftp to work).

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy