[OpenAFS] kth-krb, openssh w. afs support on fedora core

Douglas E. Engert deengert@anl.gov
Wed, 08 Oct 2003 14:24:12 -0500 

David Botsch wrote:
> 
> Is there a howto on how to do things with gssapi (or can someone offer some
> pointers)?
> 
> I recall some previous disucssion with people having issues, but would have to
> search back through archives.
> 
> If I can get kth-krb to work, then should be able to recompile openssh3.4
> hopefully.

There are two places to use gssapi, first from the ssh to the sshd 
to both authenticate the user, and to delegate a credential. Then the
user process started by the sshd could use the credential to authenticate
to a server to get an AFS token. 

The first requires the user to have authenticated on the client, and
have obtained credentials. For example used Kerberos for login, or
use kinit. The ssh to sshd can then use the GSSAPI to authenticate
and delegate a new Kerberos ticket to the SSHD server machine. 

Gssklog does the second of these to authenticate to a gssklogd running on 
the AFS database server(s), to get an AFS token. It can use the delegate
credential for this.  
 
See ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG 

aklog can also use the delegated Kerberos credential to get a AFS token.
and can be called from SSHD or a PAM routine. 

For example, I have logged on to my W2K machine using an AD account.
I can then use SecureCRT with SSH to ssh to a Unix machine using GSSAPI
and delegate a credential. The SSHD on that machine can use gssklog 
via PAM to get me an AFS token so I can access my home directory in AFS. 

The point is you don't pass AFS token around, you delegate credentials
and used these to obtain tokens. 

> 
> On Wed, Oct 08, 2003 at 02:29:01PM -0400, Chaskiel M Grundman wrote:
> >
> >
> > --On Wednesday, October 08, 2003 12:33:27 -0400 David Botsch
> > <dwb7@ccmr.cornell.edu> wrote:
> >
> > > Then, moved on to trying to get openssh going w. afs token passing
> > > support.
> > IIRC, The afs code was disabled in openssh 3.6 and removed in 3.7 (it
> > didn't work with privsep, it was insecure. etc. etc.)
> >
> > The new way to accomplish the same task is with GSSAPI credential
> > delegation. Also IIRC, openssh 3.7 includes a partial but usable
> > implementation of the GSSAPI code.
> >
> > > Ran into the can't compile in afs w/o krb4, so, went to try and
> > > compile kth-krb 1.2.2, which fails with:
> > >
> > > encrypt_ktext.c: In function `encrypt_ktext':
> > > encrypt_ktext.c:45: error: incompatible types in initialization
> > The easy way to fix this is to not compile krb4 against openssl and let it
> > use it's own des library. However, doing so may cause you problems in the
> > long run. The other thing you can do is define
> > OPENSSL_DES_LIBDES_COMPATIBILITY before <openssl/des.h> is included,
> > although supposedly that code is going away at some point.
> >
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> --
> ********************************
> David William Botsch
> Consultant/Advisor II
> CCMR Computing Facility
> dwb7@ccmr.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444