[OpenAFS] openafs and Kerberos

Sergio Gelato Sergio.Gelato@astro.su.se
Wed, 23 Nov 2005 17:20:02 +0100

* Dr A V Le Blanc [2005-11-23 15:09:33 +0000]:
> The GSSAPI support in the recently released openssh 4.2 appears
> mostly to do what we need: with proper configuration, an ordinary
> user can pass Kerberos tickets to a remote machine, where a PAM
> module gets tokens using aklog.  So far as I can see, these are
> its limitations:
> (1)  It won't allow a user whose home directory is in AFS to
>      authenticate using ssh keys, even if he has Kerberos
>      tickets to transfer.

And why would you want to do that? If you have Kerberos tickets,
use them for authentication as well. (OK, you won't get some of
the functionality associated with the authorized_keys file, such
as source host restrictions or forced commands. It would be really
nice if the OpenSSH developers could spend more time on making all
these features orthogonal.)

I think the problem is that the ticket-passing mechanism is only
implemented via GSSAPI, and if you don't do GSSAPI authentication
(or key exchange?) you don't get to delegate GSSAPI credentials.

> (2)  It will allow me to pass Kerberos tickets to a remote
>      user, except when the remote user is root.

Hmm. It actually works for me if the principal is listed in 
~root/.k5login on the server. Just tested with a ssh-krb5 3.8.1p1 client
(Debian sarge + one unrelated local patch) against a 4.2 server (Gentoo).
The remote root account got my forwarded TGT all right.

(It didn't get me a PAG or an AFS token, but that may be a
configuration <del>bug</del> feature. Good for restarting daemons;
I think I'll keep it that way.)

> I ask this because the documentation is somewhat inadequate,
> and I'm certain I don't understand all the remarks about the
> subject in various announcements.  I have verified (1) and (2)
> by experiments, but only on selected machines.
>      -- Owen