[OpenAFS] New OpenSSH-3.7p1 removes AFS support

Christian Pfaffel flash@itp.tu-graz.ac.at
17 Sep 2003 10:25:12 +0200 

--=-=-=
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Andreas Haupt <ahaupt@ifh.de> writes:

> On Tue, 16 Sep 2003, Alf Wachsmann wrote:
> 
> > On Tue, 16 Sep 2003, J Maynard Gelinas wrote:
> > >   This may be slightly off-topic for the OpenAFS list, but the latest
> > > OpenSSH-3.7p1 removes support for AFS, writing Kerberos 5 tickets to files
> > > (in memory now), and Kerberos 4. Since an exploit for all previous OpenSSH
> > > releases has just been announced, I'm somewhat confused about how to
> > > handle this mess. Can anyone suggest a solution for remote logins which
> > > supports SSH protocols 1 & 2, AFS and Kerberos, and builds properly on
> > > Redhat Linux 7.x?
> >
> > We are patching the last version (3.6.1p2) of OpenSSH that still supports
> > AFS. The patch for this new bug is small enough to do this:
> > http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h
> 
> Yes, we had to do this as well. Somehow the Kerberos5 credentials
> forwarding does not work in 3.7.1p1 with GSSAPI - the authentication
> itself works. It's built against Heimdal. On the server side I just get:
> 
> debug1: No credentials stored
> 
> With the GSSAPI Patch for 3.6.1p2 this worked! Strange...
> 

We actually have openssh-3.7p1 working on RH7.3 and RH9 with Kerberos5
credentials forwarding. For that to work You have to enable

        GSSAPIDelegateCredentials yes

in /etc/ssh/ssh_config as well as

        GSSAPIAuthentication yes

in /etc/ssh/sshd_config. 

What I did not manage, is to obtain tokens via the self written pam
module, which simply runs 'aklog -setpag' on login. This worked with
3.6. A temporary workaround is to create an /etc/ssh/sshrc. See the
attachment for details. I want to get rid of it though since

a) the user ends up not in his homedirectory but in /
b) aklog is run without -setpag

So what I am trying to do right now is, getting my pam_module being
executed properly again.

regards,
Christian Pfaffel

-- 
Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz                 Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik            Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz   http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg

--=-=-=
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=sshrc
Content-Description: sshrc

#!/bin/sh 
# Contact flash@itp.tu-graz.ac.at in case of problems

# Get an AFS Token if we have a valid Kerberos Ticket
/usr/bin/aklog >/dev/null 2>&1

if read proto cookie; then
    echo add $DISPLAY $proto $cookie | /usr/X11R6/bin/xauth -q -
fi


--=-=-=--