[OpenAFS] MIT Kerberos V authentication with OpenAFS
Jason Garman
jgarman@wedgie.org
Wed, 6 Mar 2002 17:21:19 -0500
On Wed, Mar 06, 2002 at 04:40:59PM -0500, Derek T. Yarnell wrote:
> The question I have for people on this list that are using Krb5 for openafs
> and solaris. What versions / compile options / pam modules are you using in
> conjunction to get ssh krb5 tickets. I am not worried about afs tokens because
> I can get that to work. But I am having real troubles getting pam to get the
> right krb5 tickets. I have gotten with the shipped solaris 8 pam_krb5 module to
> log into the console with the appropriate ticket and such. But ssh does not want
> to do it. Anyone doing this? If so might I pick your brain on a few things?
>
I would suggest using the GSSAPI patches for OpenSSH instead.
You can find them at http://www.sxw.org.uk/computing/patches/openssh.html
Note that there are some issues with the patch; notably that it doesn't
create a ticket cache if you log in via password. I created the following
patch to enable this functionality -- unfortunately I haven't heard back
from the author of the original patch regarding including this
functionality in the official patch.
Also if anyone has some patches to run aklog to get afs tickets
automatically please share :)
diff -u openssh-3.0.2p1-orig/auth-krb5.c openssh-3.0.2p1-local/auth-krb5.c
--- openssh-3.0.2p1-orig/auth-krb5.c Sun Feb 24 19:27:35 2002
+++ openssh-3.0.2p1-local/auth-krb5.c Thu Jan 24 18:41:40 2002
@@ -147,6 +147,9 @@
krb5_ccache ccache = NULL;
char *pname;
krb5_creds **creds;
+ int tmpfd;
+ char ccname[35];
+ char krb5ccache[35];
if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
return (0);
@@ -157,10 +160,22 @@
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
#else
{
- char ccname[35];
- snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", authctxt->pw->pw_uid);
- problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
+ snprintf(ccname, sizeof(ccname), "/tmp/krb5cc_%d_XXXXXX", authctxt->pw->pw_uid);
+ if ((tmpfd = mkstemp(ccname)) == -1) {
+ debug ("Can't open credential cache: %s", ccname);
+ goto fail;
+ }
+ if (fchmod (tmpfd, S_IRUSR | S_IWUSR) == -1) {
+ debug ("Can't chmod credential cache");
+ close (tmpfd);
+ goto fail;
+ }
+
+ close (tmpfd);
+ snprintf (krb5ccache, sizeof (krb5ccache), "FILE:%s", ccname);
+
+ problem = krb5_cc_resolve(authctxt->krb5_ctx, krb5ccache, &ccache);
}
#endif
if (problem)
@@ -222,6 +237,9 @@
krb5_principal server;
#endif
krb5_error_code problem;
+ char ccname[35], krb5ccache[35];
+ krb5_get_init_creds_opt krb5options;
+ int tmpfd;
if (authctxt->pw == NULL)
return (0);
@@ -241,7 +259,20 @@
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
&authctxt->krb5_fwd_ccache);
#else
- problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:",
+ snprintf(ccname, sizeof(ccname), "/tmp/krb5cc_%d_XXXXXX", authctxt->pw->pw_uid);
+ if ((tmpfd = mkstemp(ccname)) == -1) {
+ debug ("Can't open credential cache: %s", ccname);
+ goto out;
+ }
+ if (fchmod (tmpfd, S_IRUSR | S_IWUSR) == -1) {
+ debug ("Can't chmod credential cache");
+ close (tmpfd);
+ goto out;
+ }
+
+ close (tmpfd);
+ snprintf (krb5ccache, sizeof (krb5ccache), "FILE:%s", ccname);
+ problem = krb5_cc_resolve(authctxt->krb5_ctx, krb5ccache,
&authctxt->krb5_fwd_ccache);
#endif
if (problem)
@@ -259,8 +290,11 @@
goto out;
#else
- problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
- authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL);
+ krb5_get_init_creds_opt_init (&krb5options);
+ krb5_get_init_creds_opt_set_forwardable (&krb5options, 1);
+
+ problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
+ authctxt->krb5_user, password, NULL, NULL, 0, NULL, &krb5options);
if (problem)
goto out;
@@ -285,6 +319,7 @@
#endif /* HEIMDAL */
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ debug ("Kerberos ticket file should be: %s", authctxt->krb5_ticket_file);
out:
restore_uid();
--
Jason Garman / jgarman@wedgie.org