[OpenAFS] OpenSSH with krb and afs

Douglas E. Engert deengert@anl.gov
Fri, 20 Aug 2004 13:50:36 -0500 

Peter Nelson wrote:

> So after a few hours of hacking around I finally have kerberos-based 
> authentication *almost* completely work.  I'm using a combination of 
> pam_krb5 and pam_openafs_session for login to get tickets and tokens and 
> that works fine.  I read however that ssh's privilage seperation breaks 
> the pam modules so I'm using kerberos built into ssh.  Here is the 
> relevent configuration I have from sshd_config that almost works:
> 
> KerberosAuthentication yes
> KerberosGetAFSToken yes
> KerberosOrLocalPasswd no
> KerberosTicketCleanup yes
> GSSAPIAuthentication yes
> 
> If I do a completely clean login to the server it works fine and I 
> recieve both krb tickets and afs tokens.  However if I login using my 
> kerberos tickets I only recieve a ticket, no token.  I'll attatch two 
> logs at the bottom to show what I mean.  The version of ssh I'm using is 
> "OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4, OpenSSL 0.9.7d 17 Mar 2004" 
> recompiled to add --with-kerberos5 in debian/rules (why the default 
> debian build explicitly turns this off is beyond me).
> 

The problem is most likely that when you use the GSSAPI, the GSSPAI
will store the credentials and set the KRB5CCNAME environment variable,
but the OpenSSH code is session.c:

       if (options.kerberos_get_afs_token && k_hasafs() &&
            (s->authctxt->krb5_ctx != NULL)) {
           char cell[64];

           debug("Getting AFS token");

           k_setpag();

will not run as there is no krb5_ctx because the GSSAPI has
the context.

(We use a replacement piece of code here, that use the env
when it calls aklog, as PAM, the KRB5 code in OpenSSH and
the GSSAPI have all set the KRB5CCNAME at this point.

A cleaner way would be to use a PAM session or storecreds exit
to get the PAG and AFS token, as OpenAFS at least in 3.9
will have the GSSAPI store the KRB5CCNAME in the pam_env.

A nice feature of this would be then OpenSSH does not need any
  knowledge of AFS, so if a vendor builds without USE_AFS you
can still use their build of OpenSSH and get the token via PAM.

But unfortunately it is doing it two late. I sent in this proposed
change but it did not make it into 3.9.


--- ,session.c	Sat Jul 17 02:05:14 2004
+++ session.c	Mon Aug 16 16:57:53 2004
@@ -661,14 +661,6 @@
  		debug("Forced command '%.900s'", command);
  	}

-#ifdef GSSAPI
-	if (options.gss_authentication) {
-		temporarily_use_uid(s->pw);
-		ssh_gssapi_storecreds();
-		restore_uid();
-	}
-#endif
-
  	if (s->ttyfd != -1)
  		do_exec_pty(s, command);
  	else
@@ -1247,6 +1239,13 @@
  # ifdef __bsdi__
  		setpgid(0, 0);
  # endif
+#ifdef GSSAPI
+	if (options.gss_authentication) {
+		temporarily_use_uid(pw);
+		ssh_gssapi_storecreds();
+		restore_uid();
+	}
+#endif
  # ifdef USE_PAM
  		if (options.use_pam) {
  			do_pam_session();
@@ -1277,6 +1276,13 @@
  			exit(1);
  		}
  		endgrent();
+#ifdef GSSAPI
+	if (options.gss_authentication) {
+		temporarily_use_uid(pw);
+		ssh_gssapi_storecreds();
+		restore_uid();
+	}
+#endif
  # ifdef USE_PAM
  		/*
  		 * PAM credentials may take the form of supplementary groups.


> Thanks,
> Peter
> 
> This works fine:
> 
> avatar:~$ klist
> klist: No ticket file: /tmp/krb5cc_1000
> 
>   V4-ticket file: /tmp/tkt1000
> klist: No ticket file (tf_util)
> avatar:~$ ssh kurma
> rufus@kurma's password:
> kurma:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_lh9209
>        Principal: rufus@HACKISH.ORG
> 
>  Issued           Expires          Principal
> Aug 19 18:13:33  Aug 20 04:13:33  krbtgt/HACKISH.ORG@HACKISH.ORG
> Aug 19 18:13:33  Aug 20 04:13:33  afs@HACKISH.ORG
> 
>   V4-ticket file: /tmp/tkt1000
> klist: No ticket file (tf_util)
> 
> This doesn't work:
> 
> avatar:~$ kinit
> rufus@HACKISH.ORG's Password:
> avatar:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>        Principal: rufus@HACKISH.ORG
> 
>  Issued           Expires          Principal
> Aug 19 17:16:58  Aug 20 03:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
> Aug 19 17:16:58  Aug 20 03:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
> Aug 19 17:16:59  Aug 20 03:16:58  afs@HACKISH.ORG
> 
>   V4-ticket file: /tmp/tkt1000
>        Principal: rufus@HACKISH.ORG
> 
>  Issued           Expires          Principal
> Aug 19 17:16:58  Aug 20 03:16:58  krbtgt.HACKISH.ORG@HACKISH.ORG
> avatar:~$ ssh kurma
> kurma:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_Xk9316
>        Principal: rufus@HACKISH.ORG
> 
>  Issued           Expires          Principal
> Aug 19 18:17:41  Aug 20 04:16:58  krbtgt/HACKISH.ORG@HACKISH.ORG
> 
>   V4-ticket file: /tmp/tkt1000
> klist: No ticket file (tf_util)
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444