[OpenAFS] kth-krb, openssh w. afs support on fedora core

Douglas E. Engert deengert@anl.gov
Thu, 09 Oct 2003 10:05:47 -0500 

David Botsch wrote:
> 
> Hi. From reading the README, it seems that we need to be at Krb5, first
> to use gssklog? (We are working on getting there, and are real close
> now :).

Yes, but it is not an all or nothing proposition. AFS will accept tokens
created by multiple sources, be it the KAS, gssklogd or krb524d as long as 
they are encrypted in one of the keys in the AFS KeyFile. 

You can also use a Microsoft W2K domain as the Kerberos Realm, and the
gssklog when run on a W2K or XP can use the built-in Microsoft Kerberos 
support via SSPI to get a token. The user has to be registered in the domain, 
but the user's machine does not. This allows it to use the Windows login 
credentials, or to prompt for a user and password. It can also use the MIT 
gssapi32.dll if present. So for windows users at least, you may already have 
this in place. 
 
The gssklog differs with the aklog and krb524d in that it can use
a different authentication system to authenticate, than it uses to create 
the token. It then maps the identity from one to the other. (This is useful 
with Globus GSI using X509 certificates.) It is also useful if you want to map 
from multiple W2K domains or Kerberos realms into a single AFS cell but 
don't want to map these as foreign AFS users.  

So even if your AFS cell is considered part a K5 realm,  (i.e. <cell> == <REALM>)
and OpenAFS supports K5 tickets directly (i.e. no extra deamon like krb524d)
there still might be uses for a gssklog as an alternate way to get AFS tokens.  
  

A compiled version of the W2K version of gssklog can be found at: 
ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.10.run.zip
It was built against OpenAFS-1.2.10.

The readme and source for unix and W2K is at:
ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.10.tar


> 
> Thanks.
> 
> On 2003.10.08 15:24 Douglas E. Engert wrote:
> >
> >
> > David Botsch wrote:
> > >
> > > Is there a howto on how to do things with gssapi (or can someone
> > offer some
> > > pointers)?
> > >
> > > I recall some previous disucssion with people having issues, but
> > would have to
> > > search back through archives.
> > >
> > > If I can get kth-krb to work, then should be able to recompile
> > openssh3.4
> > > hopefully.
> >
> > There are two places to use gssapi, first from the ssh to the sshd
> > to both authenticate the user, and to delegate a credential. Then the
> > user process started by the sshd could use the credential to
> > authenticate
> > to a server to get an AFS token.
> >
> > The first requires the user to have authenticated on the client, and
> > have obtained credentials. For example used Kerberos for login, or
> > use kinit. The ssh to sshd can then use the GSSAPI to authenticate
> > and delegate a new Kerberos ticket to the SSHD server machine.
> >
> > Gssklog does the second of these to authenticate to a gssklogd running
> > on
> > the AFS database server(s), to get an AFS token. It can use the
> > delegate
> > credential for this.
> >
> > See ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
> >
> > aklog can also use the delegated Kerberos credential to get a AFS
> > token.
> > and can be called from SSHD or a PAM routine.
> >
> > For example, I have logged on to my W2K machine using an AD account.
> > I can then use SecureCRT with SSH to ssh to a Unix machine using
> > GSSAPI
> > and delegate a credential. The SSHD on that machine can use gssklog
> > via PAM to get me an AFS token so I can access my home directory in
> > AFS.
> >
> > The point is you don't pass AFS token around, you delegate credentials
> > and used these to obtain tokens.
> >
> > >
> > > On Wed, Oct 08, 2003 at 02:29:01PM -0400, Chaskiel M Grundman wrote:
> > > >
> > > >
> > > > --On Wednesday, October 08, 2003 12:33:27 -0400 David Botsch
> > > > <dwb7@ccmr.cornell.edu> wrote:
> > > >
> > > > > Then, moved on to trying to get openssh going w. afs token
> > passing
> > > > > support.
> > > > IIRC, The afs code was disabled in openssh 3.6 and removed in 3.7
> > (it
> > > > didn't work with privsep, it was insecure. etc. etc.)
> > > >
> > > > The new way to accomplish the same task is with GSSAPI credential
> > > > delegation. Also IIRC, openssh 3.7 includes a partial but usable
> > > > implementation of the GSSAPI code.
> > > >
> > > > > Ran into the can't compile in afs w/o krb4, so, went to try and
> > > > > compile kth-krb 1.2.2, which fails with:
> > > > >
> > > > > encrypt_ktext.c: In function `encrypt_ktext':
> > > > > encrypt_ktext.c:45: error: incompatible types in initialization
> > > > The easy way to fix this is to not compile krb4 against openssl
> > and let it
> > > > use it's own des library. However, doing so may cause you problems
> > in the
> > > > long run. The other thing you can do is define
> > > > OPENSSL_DES_LIBDES_COMPATIBILITY before <openssl/des.h> is
> > included,
> > > > although supposedly that code is going away at some point.
> > > >
> > > > _______________________________________________
> > > > OpenAFS-info mailing list
> > > > OpenAFS-info@openafs.org
> > > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > >
> > > --
> > > ********************************
> > > David William Botsch
> > > Consultant/Advisor II
> > > CCMR Computing Facility
> > > dwb7@ccmr.cornell.edu
> > > ********************************
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> 
> --
> ********************************
> David William Botsch
> Consultant/Advisor II
> CCMR Computing Facility
> dwb7@ccmr.cornell.edu
> ********************************

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444