[OpenAFS] OpenSSH with krb and afs

Sergio Gelato Sergio.Gelato@astro.su.se
Sat, 21 Aug 2004 23:18:28 +0200 

* Douglas E. Engert [2004-08-20 13:50:36 -0500]:
> Peter Nelson wrote:

> >If I do a completely clean login to the server it works fine and I 
> >recieve both krb tickets and afs tokens.  However if I login using my 
> >kerberos tickets I only recieve a ticket, no token.  I'll attatch two 
> >logs at the bottom to show what I mean.  The version of ssh I'm using is 
> >"OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4, OpenSSL 0.9.7d 17 Mar 2004" 
> >recompiled to add --with-kerberos5 in debian/rules (why the default 
> >debian build explicitly turns this off is beyond me).

>From what I gleaned on debian-kerberos, the default ssh package won't
include Kerberos support until GSS key exchange has been implemented.
Sam Hartman hinted that he would continue to maintain the ssh-krb5
package for another while. Time permitting, I suppose; we may have to
roll our own if he's busy with other things.

> The problem is most likely that when you use the GSSAPI, the GSSPAI
> will store the credentials and set the KRB5CCNAME environment variable,
> but the OpenSSH code is session.c:
> 
>       if (options.kerberos_get_afs_token && k_hasafs() &&
>            (s->authctxt->krb5_ctx != NULL)) {
>           char cell[64];
> 
>           debug("Getting AFS token");
> 
>           k_setpag();
> 
> will not run as there is no krb5_ctx because the GSSAPI has
> the context.

That's almost certainly the case. I posted a patch for this on
openssh-unix-dev back in the days of 3.8. A copy is available at
	http://www.astro.su.se/~gelato/patches/openssh-3.8p1-1.diff
It's been working flawlessly for me. I haven't forward-ported it to
3.8.1 or 3.9 (yet), but that shouldn't be too difficult. As to
why the patch (either mine or a functionally equivalent one) wasn't 
integrated upstream I have no idea, but that's not my problem.

> A cleaner way would be to use a PAM session or storecreds exit
> to get the PAG and AFS token, as OpenAFS at least in 3.9
> will have the GSSAPI store the KRB5CCNAME in the pam_env.

Some of the platforms I'm interested in don't have PAM (and one of
these, OpenBSD, is rather important to OpenSSH --- maybe less so to
OpenAFS), but apart from that I tend to agree --- at least in theory, 
once all the rough edges of PAM vs. privsep etc. are smoothed out.