[OpenAFS] OpenSSH and AFS Token Passing
Ray Link
rlink+@pitt.edu
Wed, 05 Jun 2002 14:57:40 -0400 (EDT)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---559023410-959030623-1023303460=:10095
Content-Type: TEXT/PLAIN; charset=US-ASCII
I know this is OpenSSH's problem, and not ours, but it had been discussed
enough on this list that I figured I'd post it here for the benefit of
everyone that got screwed by the change to OpenSSH.
Recap: Versions of OpenSSH after 2.9 disabled the ability to pass Krb5
TGTs and AFS tokens across before attempting RSA authentication. Because
the remote sshd then had no tokens with which to read your public key,
RSA auth would fail.
Attached is a patch to OpenSSH 3.2.3p1 (the latest version) that will pass
Krb5 TGTs and AFS tokens across the connection before authentication
happens, so that things like RSA authentication work. It should be
applicable to other 3.x versions of OpenSSH as well, as-is or with
some fairly simple modifications.
Token/TGT passing will happen both before and after authentication to
provide seamless backwards-compatibility. I am able to pass AFS tokens
from a pre-2.9 client to the patched 3.2.3p1 server, a patched 3.2.3p1
client to a patched 3.2.3p1 server, and a patched 3.2.3p1 client to a
pre-2.9 server. I have tested the AFS token passing, but do not have a
Kerberos5 realm to test the TGT passing. If someone wants to test it
for me, I'd greatly appreciate it.
Since I don't know how to write autoconf macros, you have to
-DAFS_KRB_PREPASS while compiling the patched code, if you want the pre-pass
modification. (Otherwise, you get vanilla OpenSSH)
==== Ray Link === University of Pittsburgh CSSD === rlink@pitt.edu ====
"Everytime you declare main() as returning void - somewhere a little
baby cries. So please, do it for the children." -- Daniel Fox
---559023410-959030623-1023303460=:10095
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="prepass.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.4.33.0206051457400.10095@mahogany.ns.pitt.edu>
Content-Description:
Content-Disposition: attachment; filename="prepass.patch"
ZGlmZiAtYyBvcGVuc3NoLTMuMi4zcDEvYXV0aDEuYyBvcGVuc3NoLTMuMi4z
cDEtcmxpbmsvYXV0aDEuYw0KKioqIG9wZW5zc2gtMy4yLjNwMS9hdXRoMS5j
CVR1ZSBBcHIgMjMgMDY6Mjg6NDkgMjAwMg0KLS0tIG9wZW5zc2gtMy4yLjNw
MS1ybGluay9hdXRoMS5jCVdlZCBKdW4gIDUgMTE6NTU6MzIgMjAwMg0KKioq
KioqKioqKioqKioqDQoqKiogMTUwLDE2NiAqKioqDQogIAkJCWJyZWFrOw0K
ICAjZW5kaWYgLyogS1JCNCB8fCBLUkI1ICovDQogIA0KISAjaWYgZGVmaW5l
ZChBRlMpIHx8IGRlZmluZWQoS1JCNSkNCiAgCQkJLyogWFhYIC0gcHVudCBv
biBiYWNrd2FyZCBjb21wYXRpYmlsaXR5IGhlcmUuICovDQogIAkJY2FzZSBT
U0hfQ01TR19IQVZFX0tFUkJFUk9TX1RHVDoNCiAgCQkJcGFja2V0X3NlbmRf
ZGVidWcoIktlcmJlcm9zIFRHVCBwYXNzaW5nIGRpc2FibGVkIGJlZm9yZSBh
dXRoZW50aWNhdGlvbi4iKTsNCiAgCQkJYnJlYWs7DQogICNpZmRlZiBBRlMN
CiAgCQljYXNlIFNTSF9DTVNHX0hBVkVfQUZTX1RPS0VOOg0KICAJCQlwYWNr
ZXRfc2VuZF9kZWJ1ZygiQUZTIHRva2VuIHBhc3NpbmcgZGlzYWJsZWQgYmVm
b3JlIGF1dGhlbnRpY2F0aW9uLiIpOw0KICAJCQlicmVhazsNCiAgI2VuZGlm
IC8qIEFGUyAqLw0KLSAjZW5kaWYgLyogQUZTIHx8IEtSQjUgKi8NCiAgDQog
IAkJY2FzZSBTU0hfQ01TR19BVVRIX1JIT1NUUzoNCiAgCQkJaWYgKCFvcHRp
b25zLnJob3N0c19hdXRoZW50aWNhdGlvbikgew0KLS0tIDE1MCwxOTcgLS0t
LQ0KICAJCQlicmVhazsNCiAgI2VuZGlmIC8qIEtSQjQgfHwgS1JCNSAqLw0K
ICANCiEgI2lmIGRlZmluZWQoS1JCNSkNCiAgCQkJLyogWFhYIC0gcHVudCBv
biBiYWNrd2FyZCBjb21wYXRpYmlsaXR5IGhlcmUuICovDQogIAkJY2FzZSBT
U0hfQ01TR19IQVZFX0tFUkJFUk9TX1RHVDoNCisgI2lmZGVmIEFGU19LUkJf
UFJFUEFTUw0KKyAvKiBSZXR1cm4gdGhlIHB1bnQgZm9yIGEgdG91Y2hkb3du
ISAgKHB1dHRpbmcgYmFja3dhcmQtY29tcGF0aWJpbGl0eSBiYWNrIGluKSAq
Lw0KKyAJCQlpZiAoIW9wdGlvbnMua2VyYmVyb3NfdGd0X3Bhc3NpbmcpIHsN
CisgCQkJCXZlcmJvc2UoIktlcmJlcm9zIHRndCBwYXNzaW5nIGRpc2FibGVk
LiIpOw0KKyAJCQkJYnJlYWs7DQorIAkJCX0gZWxzZSB7DQorIAkJCQkvKiBB
Y2NlcHQgS2VyYmVyb3MgdGd0LiAqLw0KKyAJCQkJY2hhciAqdGd0ID0gcGFj
a2V0X2dldF9zdHJpbmcoJmRsZW4pOw0KKyAJCQkJcGFja2V0X2NoZWNrX2Vv
bSgpOw0KKyAJCQkJaWYgKCFhdXRoX2tyYjVfdGd0KGF1dGhjdHh0LCB0Z3Qp
KQ0KKyAJCQkJCXZlcmJvc2UoIktlcmJlcm9zIHRndCBSRUZVU0VEIGZvciAl
LjEwMHMiLCBhdXRoY3R4dC0+dXNlcik7DQorIAkJCQl4ZnJlZSh0Z3QpOw0K
KyAJCQl9DQorIAkJCWJyZWFrOw0KKyAjZWxpZiAvKiBBRlNfS1JCX1BSRVBB
U1MgKi8NCiAgCQkJcGFja2V0X3NlbmRfZGVidWcoIktlcmJlcm9zIFRHVCBw
YXNzaW5nIGRpc2FibGVkIGJlZm9yZSBhdXRoZW50aWNhdGlvbi4iKTsNCisg
I2VuZGlmIC8qIEFGU19LUkJfUFJFUEFTUyAqLw0KKyAjZW5kaWYgLyogS1JC
NSAqLw0KICAJCQlicmVhazsNCiAgI2lmZGVmIEFGUw0KICAJCWNhc2UgU1NI
X0NNU0dfSEFWRV9BRlNfVE9LRU46DQorICNpZmRlZiBBRlNfS1JCX1BSRVBB
U1MNCisgCQkJaWYgKCFvcHRpb25zLmFmc190b2tlbl9wYXNzaW5nIHx8ICFr
X2hhc2FmcygpKSB7DQorIAkJCQl2ZXJib3NlKCJBRlMgdG9rZW4gcGFzc2lu
ZyBkaXNhYmxlZC4iKTsNCisgCQkJCWJyZWFrOw0KKyAJCQl9IGVsc2Ugew0K
KyAJCQkJLyogQWNjZXB0IEFGUyB0b2tlbi4gKi8NCisgCQkJCWNoYXIgKnRv
a2VuX3N0cmluZyA9IHBhY2tldF9nZXRfc3RyaW5nKCZkbGVuKTsNCisgCQkJ
CXBhY2tldF9jaGVja19lb20oKTsNCisgCQkJCWlmICghYXV0aF9hZnNfdG9r
ZW4oYXV0aGN0eHQsIHRva2VuX3N0cmluZykpDQorIAkJCQkJdmVyYm9zZSgi
QUZTIHRva2VuIFJFRlVTRUQgZm9yICUuMTAwcyIsIGF1dGhjdHh0LT51c2Vy
KTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICANCisgCQkJCXhmcmVlKHRva2VuX3N0cmlu
Zyk7CQkJICAgDQorIAkJCX0NCisgCQkJYnJlYWs7DQorICNlbGlmIC8qIEFG
U19LUkJfUFJFUEFTUyAqLw0KICAJCQlwYWNrZXRfc2VuZF9kZWJ1ZygiQUZT
IHRva2VuIHBhc3NpbmcgZGlzYWJsZWQgYmVmb3JlIGF1dGhlbnRpY2F0aW9u
LiIpOw0KICAJCQlicmVhazsNCisgI2VuZGlmIC8qIEFGU19LUkJfUFJFUEFT
UyAqLw0KICAjZW5kaWYgLyogQUZTICovDQogIA0KICAJCWNhc2UgU1NIX0NN
U0dfQVVUSF9SSE9TVFM6DQogIAkJCWlmICghb3B0aW9ucy5yaG9zdHNfYXV0
aGVudGljYXRpb24pIHsNCmRpZmYgLWMgb3BlbnNzaC0zLjIuM3AxL3NzaGNv
bm5lY3QxLmMgb3BlbnNzaC0zLjIuM3AxLXJsaW5rL3NzaGNvbm5lY3QxLmMN
CioqKiBvcGVuc3NoLTMuMi4zcDEvc3NoY29ubmVjdDEuYwlUdWUgQXByIDIz
IDA2OjU2OjAzIDIwMDINCi0tLSBvcGVuc3NoLTMuMi4zcDEtcmxpbmsvc3No
Y29ubmVjdDEuYwlXZWQgSnVuICA1IDEyOjA1OjMyIDIwMDINCioqKioqKioq
KioqKioqKg0KKioqIDMxLDM2ICoqKioNCi0tLSAzMSwzNyAtLS0tDQogICNp
bmNsdWRlIDxrYWZzLmg+DQogICNpbmNsdWRlICJyYWRpeC5oIg0KICAjZW5k
aWYNCisgI2luY2x1ZGUgPHN5cy9pb2Njb20uaD4NCiAgDQogICNpbmNsdWRl
ICJzc2guaCINCiAgI2luY2x1ZGUgInNzaDEuaCINCioqKioqKioqKioqKioq
Kg0KKioqIDExNjgsMTE3NCAqKioqDQotLS0gMTE2OSwxMjA4IC0tLS0NCiAg
CWlmICh0eXBlICE9IFNTSF9TTVNHX0ZBSUxVUkUpDQogIAkJcGFja2V0X2Rp
c2Nvbm5lY3QoIlByb3RvY29sIGVycm9yOiBnb3QgJWQgaW4gcmVzcG9uc2Ug
dG8gU1NIX0NNU0dfVVNFUiIsIHR5cGUpOw0KICANCisgI2lmZGVmIEFGU19L
UkJfUFJFUEFTUw0KICAjaWZkZWYgS1JCNQ0KKyAgICAgICAgIC8qIFRyeSBL
ZXJiZXJvcyB2NSBUR1QgcGFzc2luZy4gKi8NCisgICAgICAgICBpZiAoKHN1
cHBvcnRlZF9hdXRoZW50aWNhdGlvbnMgJiAoMSA8PCBTU0hfUEFTU19LRVJC
RVJPU19UR1QpKSAmJg0KKyAgICAgICAgICAgICBvcHRpb25zLmtlcmJlcm9z
X3RndF9wYXNzaW5nICYmIGNvbnRleHQgJiYgYXV0aF9jb250ZXh0KSB7DQor
ICAgICAgICAgICAgICAgICBpZiAob3B0aW9ucy5jaXBoZXIgPT0gU1NIX0NJ
UEhFUl9OT05FKQ0KKyAgICAgICAgICAgICAgICAgICAgICAgICBsb2coIldB
Uk5JTkc6IEVuY3J5cHRpb24gaXMgZGlzYWJsZWQhIFRpY2tldCB3aWxsIGJl
IHRyYW5zbWl0dGVkIGluIHRoZSBjbGVhciEiKTsNCisgICAgICAgICAgICAg
ICAgIHNlbmRfa3JiNV90Z3QoY29udGV4dCwgYXV0aF9jb250ZXh0KTsNCisg
ICAgICAgICB9DQorICAgICAgICAgaWYgKGF1dGhfY29udGV4dCkNCisgICAg
ICAgICAgICAgICAgIGtyYjVfYXV0aF9jb25fZnJlZShjb250ZXh0LCBhdXRo
X2NvbnRleHQpOw0KKyAgICAgICAgIGlmIChjb250ZXh0KQ0KKyAgICAgICAg
ICAgICAgICAga3JiNV9mcmVlX2NvbnRleHQoY29udGV4dCk7DQorICNlbmRp
ZiAvKiBLUkI1ICovDQorICAgICAgICANCisgI2lmZGVmIEFGUw0KKyAgICAg
ICAgIC8qIFRyeSBLZXJiZXJvcyB2NCBUR1QgcGFzc2luZyBpZiB0aGUgc2Vy
dmVyIHN1cHBvcnRzIGl0LiAqLw0KKyAgICAgICAgIGlmICgoc3VwcG9ydGVk
X2F1dGhlbnRpY2F0aW9ucyAmICgxIDw8IFNTSF9QQVNTX0tFUkJFUk9TX1RH
VCkpICYmDQorICAgICAgICAgICAgIG9wdGlvbnMua2VyYmVyb3NfdGd0X3Bh
c3NpbmcpIHsNCisgICAgICAgICAgICAgICAgIGlmIChvcHRpb25zLmNpcGhl
ciA9PSBTU0hfQ0lQSEVSX05PTkUpDQorICAgICAgICAgICAgICAgICAgICAg
ICAgIGxvZygiV0FSTklORzogRW5jcnlwdGlvbiBpcyBkaXNhYmxlZCEgVGlj
a2V0IHdpbGwgYmUgdHJhbnNtaXR0ZWQgaW4gdGhlIGNsZWFyISIpOw0KKyAg
ICAgICAgICAgICAgICAgc2VuZF9rcmI0X3RndCgpOw0KKyAgICAgICAgIH0N
CisgICAgICAgICAvKiBUcnkgQUZTIHRva2VuIHBhc3NpbmcgaWYgdGhlIHNl
cnZlciBzdXBwb3J0cyBpdC4gKi8NCisgICAgICAgICBpZiAoKHN1cHBvcnRl
ZF9hdXRoZW50aWNhdGlvbnMgJiAoMSA8PCBTU0hfUEFTU19BRlNfVE9LRU4p
KSAmJg0KKyAgICAgICAgICAgICBvcHRpb25zLmFmc190b2tlbl9wYXNzaW5n
ICYmIGtfaGFzYWZzKCkpIHsNCisgICAgICAgICAgICAgICAgIGlmIChvcHRp
b25zLmNpcGhlciA9PSBTU0hfQ0lQSEVSX05PTkUpDQorICAgICAgICAgICAg
ICAgICAgICAgICAgIGxvZygiV0FSTklORzogRW5jcnlwdGlvbiBpcyBkaXNh
YmxlZCEgVG9rZW4gd2lsbCBiZSB0cmFuc21pdHRlZCBpbiB0aGUgY2xlYXIh
Iik7DQorICAgICAgICAgICAgICAgICBzZW5kX2Fmc190b2tlbnMoKTsNCisg
ICAgICAgICB9DQorICNlbmRpZiAvKiBBRlMgKi8NCisgI2VuZGlmIC8qIEFG
U19LUkJfUFJFUEFTUyAqLw0KKyANCisgI2lmZGVmIEtSQjUNCiAgCWlmICgo
c3VwcG9ydGVkX2F1dGhlbnRpY2F0aW9ucyAmICgxIDw8IFNTSF9BVVRIX0tF
UkJFUk9TKSkgJiYNCiAgCSAgICBvcHRpb25zLmtlcmJlcm9zX2F1dGhlbnRp
Y2F0aW9uKSB7DQogIAkJZGVidWcoIlRyeWluZyBLZXJiZXJvcyB2NSBhdXRo
ZW50aWNhdGlvbi4iKTsNCg==
---559023410-959030623-1023303460=:10095--