[OpenAFS] Re: openafs and Kerberos
Dr A V Le Blanc
Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Wed, 30 Nov 2005 10:17:36 +0000
On Wed 23 Nov 2005 at 10:22:22 -0800, Russ Allbery <firstname.lastname@example.org> wrote:
> ssh-krb5 is not being actively updated right now because we're planning on
> retiring the package in favor of just having people use the new 4.2
> packages with GSSAPI support. They should be as capable, and if not, I'll
> work to make sure they are.
I wrote, about the new 4.2 openssh:
> (2) It will allow me to pass Kerberos tickets to a remote
> user, except when the remote user is root.
And Russ replied:
> This should work if, as mentioned by another poster, you list the
> appropriate identities in ~root/.k5login.
This solved the problem for root, except in one case, which we
have been able to fix using other means. As a result, everything
for which we needed ssh-krb5 can now be done using 4.2. Many
thanks for this; it wasn't mentioned in the openssh documentation,
so I was not aware that it would work, though it is mentioned
in the libpam-krb5 documentation, and of course we are using this.
> (1) It won't allow a user whose home directory is in AFS to
> authenticate using ssh keys, even if he has Kerberos
> tickets to transfer.
And Russ replied:
> I don't think this is a difference between it and ssh-krb5 unless I'm not
> understanding you. The problem that you're encountering is fundamental:
> you have to successfully authenticate before you can forward Kerberos
> tickets, and you have to forward Kerberos tickets before you can obtain a
> token. So you have to be able to authenticate without a token, which
> means that you need to make your ssh authorized_keys file readable by an
> unauthenticated process.
I think the (very old) patched ssh we used which forwarded AFS tokens
did this, but I may be mistaken. The problem is a security risk:
you need to forward your AFS tokens to a remote machine, which might
possibly misuse them. Tests show that for system administration
this is no longer necessary, but of course users would have liked
to see it. I find that if I login on one machine with openssh-4.2
and get kerberos tickets for a user, I can login to another machine
using '-o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes',
and this _does_ get AFS authentication and passes the kerberos
credentials across. The user in question has his home directory
in /afs, and it is not world readable, nor is anything under it,
so the GSSAPI authentication does not need access to authorized_keys
Thanks to everyone whose help and advice helped us with this.