[OpenAFS] MIT Kerberos V authentication with OpenAFS

Matthew N. Andrews mnandrews@lbl.gov
Wed, 06 Mar 2002 14:39:04 -0800


Hello,
    I have used you patch, and have been generally happy with it, however, the one issue that I have noticed is
that when it sets the KRB5CCNAME variable, it sets it to:
/path/to/credentials/cache

rather than

FILE:/path/to/credentials/cache

which works fine with the MIT kerberos client utilities, but which does not work with several of the DCE client
utilities(klist comes to mind). the following patch will fix this(it assumes a file based credentials cache, but
is there any case where this wouldn't be true?):
########### cut here ################
--- session.c   Tue Feb 26 13:18:24 2002
+++ session.c.patched   Tue Feb 26 13:17:42 2002
@@ -1038,6 +1038,9 @@
        struct stat st;
        char *argv[10];
        int do_xauth;
+#ifdef KRB5
+       char ccname[34];
+#endif
 #ifdef WITH_IRIX_PROJECT
        prid_t projid;
 #endif /* WITH_IRIX_PROJECT */
@@ -1291,10 +1294,12 @@
                    s->authctxt->krb4_ticket_file);
 #endif
 #ifdef KRB5
-       if (s->authctxt->krb5_ticket_file)
+       if (s->authctxt->krb5_ticket_file) {
+               snprintf(ccname, sizeof(ccname), "FILE:%s", s->authctxt->krb5_ti
cket_file);
                child_set_env(&env, &envsize, "KRB5CCNAME",
-                   s->authctxt->krb5_ticket_file);
-#endif
+                   ccname);
+       }
+#endif
 #ifdef USE_PAM
        /* Pull in any environment variables that may have been set by PAM. */
        do_pam_environment(&env, &envsize);
################# end cut here ################



Jason Garman wrote:

> On Wed, Mar 06, 2002 at 04:40:59PM -0500, Derek T. Yarnell wrote:
> > The question I have for people on this list that are using Krb5 for openafs
> > and solaris. What versions / compile options / pam modules are you using in
> > conjunction to get ssh krb5 tickets. I am not worried about afs tokens because
> > I can get that to work. But I am having real troubles getting pam to get the
> > right krb5 tickets. I have gotten with the shipped solaris 8 pam_krb5 module to
> > log into the console with the appropriate ticket and such. But ssh does not want
> > to do it. Anyone doing this? If so might I pick your brain on a few things?
> >
> I would suggest using the GSSAPI patches for OpenSSH instead.
>
> You can find them at http://www.sxw.org.uk/computing/patches/openssh.html
>
> Note that there are some issues with the patch; notably that it doesn't
> create a ticket cache if you log in via password.  I created the following
> patch to enable this functionality -- unfortunately I haven't heard back
> from the author of the original patch regarding including this
> functionality in the official patch.
>
> Also if anyone has some patches to run aklog to get afs tickets
> automatically please share :)
>