[OpenAFS] Re: openafs and Kerberos

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Wed, 30 Nov 2005 10:17:36 +0000 

On Wed 23 Nov 2005 at 10:22:22 -0800, Russ Allbery <rra@stanford.edu> wrote:
> ssh-krb5 is not being actively updated right now because we're planning on
> retiring the package in favor of just having people use the new 4.2
> packages with GSSAPI support.  They should be as capable, and if not, I'll
> work to make sure they are.

I wrote, about the new 4.2 openssh:
> (2)  It will allow me to pass Kerberos tickets to a remote
>      user, except when the remote user is root.

And Russ replied:

> This should work if, as mentioned by another poster, you list the
> appropriate identities in ~root/.k5login.

This solved the problem for root, except in one case, which we
have been able to fix using other means.  As a result, everything
for which we needed ssh-krb5 can now be done using 4.2.  Many
thanks for this; it wasn't mentioned in the openssh documentation,
so I was not aware that it would work, though it is mentioned
in the libpam-krb5 documentation, and of course we are using this.

I wrote:

> (1)  It won't allow a user whose home directory is in AFS to
>      authenticate using ssh keys, even if he has Kerberos
>      tickets to transfer.

And Russ replied:

> I don't think this is a difference between it and ssh-krb5 unless I'm not
> understanding you.  The problem that you're encountering is fundamental:
> you have to successfully authenticate before you can forward Kerberos
> tickets, and you have to forward Kerberos tickets before you can obtain a
> token.  So you have to be able to authenticate without a token, which
> means that you need to make your ssh authorized_keys file readable by an
> unauthenticated process.

I think the (very old) patched ssh we used which forwarded AFS tokens
did this, but I may be mistaken.  The problem is a security risk:
you need to forward your AFS tokens to a remote machine, which might
possibly misuse them.  Tests show that for system administration
this is no longer necessary, but of course users would have liked
to see it.  I find that if I login on one machine with openssh-4.2
and get kerberos tickets for a user, I can login to another machine
using '-o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes',
and this _does_ get AFS authentication and passes the kerberos
credentials across.  The user in question has his home directory
in /afs, and it is not world readable, nor is anything under it,
so the GSSAPI authentication does not need access to authorized_keys
files.

Thanks to everyone whose help and advice helped us with this.

     -- Owen
     LeBlanc@mcc.ac.uk