[OpenAFS] ...automatic AFS token from Krb5 ticket in ssh/telnet?

Jason Garman jgarman@wedgie.org
Sun, 20 Jan 2002 18:09:40 -0500


On Sun, Jan 20, 2002 at 04:52:07PM -0600, Charles Clancy wrote:
> 
> Hmm... the whole Xserver thing sounds difficult.  Why have 2 layers?  Get
> rid of Citrix, and give people thin clients running XDM.
> 
Can't. :(  Most of the user interaction takes place with IE through Citrix
(lots of web apps with heavy Java thats only tested/works best through
IE).

> Alternatively, use a passive XServer.  Use a kerberized SSH to log in,
> (thus getting the appropriate TGTs and AFS Tokens), set the $DISPLAY, and
> fire off an Xterm.  You can even forward the X connection through SSH,
> making it secure!
> 
That is more than sufficient, but finding a kerberized ssh for windows...
:) we have reflection X here, and I think that has a kerberized telnet or
ssh, and would be happy to use either one in the manner you describe.

> > 1) If a user doesn't have Kerberos tickets (we'll be occassionally logging
> > in directly to these unix boxes over ssh with password authentication)...
> > the user is authenticated but the Kerberos credentials cache is empty.
> > Worse yet, the KRB5CCNAME environment variable is empty so when you try to
> > kinit it complains until you unset KRB5CCNAME.
> 
> My experience is with the kerberos PAM module.  In that case, it'll get a
> TGT for you while processing the password authentication.
> 
I tried compiling the bastardized openssh-gssapi with PAM support ... and
that failed miserably.  Compilation worked fine, but would refuse all
logins.  Didn't explore much more and the debug output from sshd is pretty
much useless.

> > 2) When logged in either through key exchange or password, you don't get
> > an AFS token.  I've tried compiling with afs support and krb4 support but
> > then there's all sorts of conflicts in the des functions between openssl
> > and kerberos4.
> 
> Agk -- it has nothing to do with kerberos 4.  You need to run aklog.  You
> can either put it in their startup shell script, or use something like
> pam_openafs_session (required for things like scp and ftp to work).
> 
>From perusing the openssh sources and from trying to configure with
--with-afs and without --with-kerberos4, it looked like you had to enable
--with-kerberos4 to get the afs stuff to compile.  I'll look into adding
in the requisite code to do an aklog manually into sshd.

pam_openafs_session never worked for me.  Changed the path in the .c file
(both aklog and unlog are in /usr/local/bin - i hate cluttering my
/usr/bin ala redhat) and inserted into pam.conf.  Never gave me a token.
No debug code in there and haven't looked closer since I found the gssapi
patches.

Can't do the aklog in user profile since the home directories are in afs
and system:anyuser won't have access to it.

Thanks for the suggestions, I haven't seen much info at all out there on
the net about this stuff and its great to hear how other people have
implemented this sort of thing.

-- 
Jason Garman / jgarman@wedgie.org