[OpenAFS] New OpenSSH-3.7p1 removes AFS support
Christian Pfaffel
flash@itp.tu-graz.ac.at
17 Sep 2003 16:34:00 +0200
--=-=-=
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Christian Pfaffel <flash@itp.tu-graz.ac.at> writes:
> Andreas Haupt <ahaupt@ifh.de> writes:
>
> > On Tue, 16 Sep 2003, Alf Wachsmann wrote:
> >
> > > On Tue, 16 Sep 2003, J Maynard Gelinas wrote:
> > > > This may be slightly off-topic for the OpenAFS list, but the latest
> > > > OpenSSH-3.7p1 removes support for AFS, writing Kerberos 5 tickets to files
> > > > (in memory now), and Kerberos 4. Since an exploit for all previous OpenSSH
> > > > releases has just been announced, I'm somewhat confused about how to
> > > > handle this mess. Can anyone suggest a solution for remote logins which
> > > > supports SSH protocols 1 & 2, AFS and Kerberos, and builds properly on
> > > > Redhat Linux 7.x?
> > >
> > > We are patching the last version (3.6.1p2) of OpenSSH that still supports
> > > AFS. The patch for this new bug is small enough to do this:
> > > http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h
> >
> > Yes, we had to do this as well. Somehow the Kerberos5 credentials
> > forwarding does not work in 3.7.1p1 with GSSAPI - the authentication
> > itself works. It's built against Heimdal. On the server side I just get:
> >
> > debug1: No credentials stored
> >
> > With the GSSAPI Patch for 3.6.1p2 this worked! Strange...
> >
>
> We actually have openssh-3.7p1 working on RH7.3 and RH9 with Kerberos5
> credentials forwarding. For that to work You have to enable
>
> GSSAPIDelegateCredentials yes
>
> in /etc/ssh/ssh_config as well as
>
> GSSAPIAuthentication yes
>
> in /etc/ssh/sshd_config.
>
> What I did not manage, is to obtain tokens via the self written pam
> module, which simply runs 'aklog -setpag' on login. This worked with
> 3.6. A temporary workaround is to create an /etc/ssh/sshrc. See the
> attachment for details. I want to get rid of it though since
>
> a) the user ends up not in his homedirectory but in /
> b) aklog is run without -setpag
>
> So what I am trying to do right now is, getting my pam_module being
> executed properly again.
Attached is a small patch, that executes the session part of the pam
stack when doing a login via gssapi again after the transferred
credentials have been stored. This also works with priv sep enabled.
It does not work for keyboard interactive login.
regards,
Christian Pfaffel
PS: if someone needs RH rpms with the patch applied let me know.
--
Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg
--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=openssh_pam_session.patch
Content-Description: patch for pam_session
--- openssh-3.7.1p1/session.c.~1~ Tue Sep 16 03:52:19 2003
+++ openssh-3.7.1p1/session.c Wed Sep 17 15:06:50 2003
@@ -396,6 +396,7 @@
#if defined(USE_PAM)
if (options.use_pam) {
+ do_pam_session();
do_pam_setcred(1);
if (is_pam_password_change_required())
packet_disconnect("Password change required but no "
@@ -525,6 +526,7 @@
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_set_tty(s->tty);
+ do_pam_session();
do_pam_setcred(1);
}
#endif
--=-=-=--