[OpenAFS] ...automatic AFS token from Krb5 ticket in ssh/telnet?

Charles Clancy security@xauth.net
Sun, 20 Jan 2002 17:12:55 -0600 (CST) 

> > > 2) When logged in either through key exchange or password, you don't get
> > > an AFS token.  I've tried compiling with afs support and krb4 support but
> > > then there's all sorts of conflicts in the des functions between openssl
> > > and kerberos4.
> >
> > Agk -- it has nothing to do with kerberos 4.  You need to run aklog.  You
> > can either put it in their startup shell script, or use something like
> > pam_openafs_session (required for things like scp and ftp to work).
> >
> From perusing the openssh sources and from trying to configure with
> --with-afs and without --with-kerberos4, it looked like you had to enable
> --with-kerberos4 to get the afs stuff to compile.  I'll look into adding
> in the requisite code to do an aklog manually into sshd.

All the --with-afs stuff in OpenSSH assumes standard kaserver interaction.
Basically, it'll do an 'afslog' for you, which is the K4 equivalent to
aklog.  Really, you want your OpenSSH to JUST do kerberos.  Handle the AFS
stuff by calling aklog seperately.

> pam_openafs_session never worked for me.  Changed the path in the .c file
> (both aklog and unlog are in /usr/local/bin - i hate cluttering my
> /usr/bin ala redhat) and inserted into pam.conf.  Never gave me a token.
> No debug code in there and haven't looked closer since I found the gssapi
> patches.

I personally have never used it.  I wrote my own module that works under
Solaris, because I could only get pam_openafs_session to work with Linux.
Of course, my module only seems to work under Solaris.  It's in full-scale
production use on all the UNIX systems at Rose-Hulman Inst of Tech now,
though.  The main difference is that mine does a setpag() before forking
to aklog.  Without that, some services weren't working right.

> Can't do the aklog in user profile since the home directories are in afs
> and system:anyuser won't have access to it.

That's easy -- if you're using tcsh, just put it in /etc/csh.cshrc.  That
file gets executed before the one in their home directory.  I'm sure
there's something equivalent for bash.

> Thanks for the suggestions, I haven't seen much info at all out there on
> the net about this stuff and its great to hear how other people have
> implemented this sort of thing.

Yeah -- I only wish I was still doing AFS administration.  I stopped just
after all the real fun stuff started happening with OpenAFS and Kerberos.
I don't get to play around with it as much as I used to.  :(

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy