[OpenAFS] openssh-3.9p1+AFS
Rainer Laatsch
Laatsch@rrz.Uni-Koeln.DE
Tue, 21 Sep 2004 22:11:02 +0200 (MET DST)
Getting openssh-3.9p1 to run with AFS if no PAM
(USE_PAM: If pam_afs.krb and/or pam_krb5 is used, afs_util.c and patching
auth-passwd.c not needed. Using afslog/gssklog in /etc/ssh/sshrc
will possibly suffice. Not yet tested at current.
)
-> krb524 not needed
-> works with kaserver and/or krb5kdc
Now:
compile openssl
compile zlib
compile MIT krb5
compile KTH krb4
compile gssklog (deengert@anl.gov) with KTH krb4 (its great!)
(MIT krb524 AFS encryption is possibly wrong)
copy afs_util.c to src dir ; compile it ;
patch auth-passwd.c to run (if uid >0) an external (via afs_util)
/var/security/Klog (should be better in AFS space)
that may call AFS klog and / or MIT kinit leaving ticket files
with correct owner + permits
patch session.c to ALWAYS set a pag
and disable the code for options.kerberos_get_afs_token
configure : ./configure --with-libs=/..KTH-KRB4../lib/libkafs.a ...
patch Makefile, LIBS=: add /..KTH-KRB4../lib/libkafs.a
CPPFLAGS=:add /..KTH-KRB4../include
compile openssh-3.9p1 ; link sshd with afs_util.o added
add /etc/ssh/sshrc which runs KTH afslog and/or gssklog before 'xauth'
to obtain AFS token (it could also remove the ticket files after that)
run sshd with PubkeyAuthentication yes (root)
+ PasswordAuthentication yes (root+Users)
Mit freundlichem Gruss / Best regards
Rainer Laatsch Laatsch@rrz.Uni-Koeln.DE
-------- hints: --------
-> GSSKLOG:
if [ ! -f Makefile.ori ] ; then
echo " setting GSS_LIBS in Makefile..."
mv Makefile Makefile.ori
sed -e '/^GSS_LIBS/s+.*+GSS_LIBS = /opt/krb5/lib/libgssapi_krb5.a /opt/krb5/li
b/libkrb5.a /opt/krb5/lib/libk5crypto.a /opt/krb5/lib/libcom_err.a -L/vol/krb4/l
ib -ldes -lkafs+' <Makefile.ori >Makefile
fi
if [ "$OSTYPE" = "SunOS" -a "$OS" != "SunOS-5.5.1" ] ; then # PAM
cp -p Makefile Makefile.interim
sed -e '/^LDFLAGS_PAM/s+.*+LDFLAGS_PAM=-lpam -Bdynamic -G+' <Makefile.interim >
Makefile
rm Makefile.interim
fi
...
->AUTH-PASSWD.C:
*** /Vol/src/sun4x_58/security/openssh-3.9p1/auth-passwd.c.orig Tue Jun 22 05:37:11 2004
--- /Vol/src/sun4x_58/security/openssh-3.9p1/auth-passwd.c Tue Sep 21 19:56:16 2004
***************
*** 47,52 ****
--- 47,56 ----
extern ServerOptions options;
int sys_auth_passwd(Authctxt *, const char *);
+ #ifdef USE_AFS
+ extern int do_klog(const char* user, char*) ;
+ #endif
+
void
disable_forwarding(void)
{
***************
*** 75,80 ****
--- 79,91 ----
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
+ # ifdef USE_AFS
+ if(pw->pw_uid > 0)
+ { int rc;
+ rc=do_klog(authctxt->user,password);
+ if(rc == 0) { return(1);} /* success */
+ }
+ # endif
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
->SESSION.C:
*** /Vol/src/sun4x_58/security/openssh-3.9p1/session.c.orig Thu Aug 12 14:40:25 2004
--- /Vol/src/sun4x_58/security/openssh-3.9p1/session.c Tue Sep 21 19:02:56 2004
***************
*** 1468,1473 ****
--- 1468,1480 ----
*/
environ = env;
+ #if defined(USE_AFS)
+ if (k_hasafs()) {
+ k_setpag();
+ }
+ #endif
+
+ /*
#if defined(KRB5) && defined(USE_AFS)
/*
* At this point, we check to see if AFS is active and if we have
***************
*** 1483,1490 ****
debug("Getting AFS token");
- k_setpag();
-
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
krb5_afslog(s->authctxt->krb5_ctx,
s->authctxt->krb5_fwd_ccache, cell, NULL);
--- 1490,1495 ----
***************
*** 1492,1497 ****
--- 1497,1503 ----
krb5_afslog_home(s->authctxt->krb5_ctx,
s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
}
+ */
#endif
/* Change current directory to the user\'s home directory. */
-> /ETC/SSH/SSHRC:
#!/bin/sh
MYID=`expr "\`id\`" : 'uid=\([0-9]*\)'`
KRBTKFILE="/tmp/tkt"$MYID
KRB5CCFILE="/tmp/krb5cc_"$MYID
[ -f $KRBTKFILE ] && export KRBTKFILE && /vol/krb4/bin/afslog
# && /bin/rm -f $KRBTKFILE
[ -f $KRB5CCFILE ] && /vol/krb5/bin/gssklog -server XXXXXX.rrz.uni-koeln.de
# && /bin/rm -f $KRB5CCFILE
if read proto cookie; then echo add $DISPLAY $proto $cookie | /usr/openwin/bin/xauth -q -; fi
-> AFSUTIL.C:
/* This is a stripped version of openafs-1.2.11/src/pam/afs_util.c *RL* */
/*
* Copyright 2000, International Business Machines Corporation and others.
* All Rights Reserved.
*
* This software has been released under the terms of the IBM Public
* License. For details, see the LICENSE file in the top-level source
* directory or online at http://www.openafs.org/dl/license10.html
*/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <syslog.h>
/* #include <afsconfig.h> */
/* #include <afs/param.h> */
#include <sys/wait.h>
#include <limits.h>
/* #include "afs_util.h" */
/*
* Copyright 2000, International Business Machines Corporation and others.
* All Rights Reserved.
*
* This software has been released under the terms of the IBM Public
* License. For details, see the LICENSE file in the top-level source
* directory or online at http://www.openafs.org/dl/license10.html
*/
/* #define KLOGKRB "/usr/afsws/bin/klog.krb" */
#define KLOGKRB "/var/security/Klog"
int do_klog(const char* user, const char* password)
{
pid_t pid;
int pipedes[2];
int status;
char* argv[32];
int argc = 0;
char* klog_prog;
int ret = 1; /* default: BAD return */
klog_prog = KLOGKRB;
if (access(klog_prog, X_OK) != 0) {
syslog(LOG_ERR, "can not access klog program '%s'", KLOGKRB );
goto out;
}
argv[argc++] = "Klog";
argv[argc++] = (char*)user;
argv[argc] = NULL;
if (pipe(pipedes) != 0) {
syslog(LOG_ERR, "can not open pipe: %s", strerror(errno));
goto out;
}
pid = fork();
switch(pid) {
case (-1): /* Error: fork failed */
syslog(LOG_ERR, "fork failed: %s", strerror(errno));
goto out;
case (0) : /* child */
close(0);
dup(pipedes[0]);
close(pipedes[0]);
close(1);
dup(pipedes[1]);
close(pipedes[1]);
execv(klog_prog, argv);
/* notreached */
syslog(LOG_ERR, "execv failed: %s", strerror(errno));
close(0);
close(1);
goto out;
default :
write(pipedes[1], password, strlen(password));
write(pipedes[1], "\n", 1);
close(pipedes[0]);
close(pipedes[1]);
if (pid != wait(&status)) return(0);
if (WIFEXITED(status)) {
ret = WEXITSTATUS(status);
goto out;
}
syslog(LOG_NOTICE, "%s for %s failed", klog_prog, user) ;
}
out:
syslog(LOG_DEBUG, "Klog returns %d", ret);
return(ret);
}
-> /VAR/SECURITY/KLOG:
#!/bin/ksh
umask 077
USER=$1
read PW
MYID=`/usr/afsws/bin/pts exa $USER -noauth | grep ^Name: | awk '{print $4}' | s
ed -e 's/,//'`
[ "$MYID" = "" ] && exit 17
export KRBTKFILE="/tmp/tkt"$MYID
print $PW | /usr/afsws/bin/klog $USER -silent -pipe -setpag -tmp
rc=$?
if [ $rc -eq 0 ] ; then
[ -f $KRBTKFILE ] && chown $USER $KRBTKFILE
fi
export KRB5CCNAME=FILE:/tmp/krb5cc_$MYID
KRB5CCFILE=/tmp/krb5cc_$MYID
print $PW | /vol/krb5/bin/kinit $USER
rc1=$?
if [ $rc1 -eq 0 ] ; then
[ -f $KRB5CCFILE ] && chown $USER $KRB5CCFILE
fi
[ $rc1 -eq 0 -o $rc -eq 0 ] && exit 0
exit 6