[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session

Ken Aaker kaaker@brocade.com
Thu, 06 Sep 2007 10:47:39 -0500 

Jim Rees wrote:
> James Rogers wrote:
>
>   I believe krb5 forwarding requires a host principal for the  
>   forwarding machine. Do you have one for your home machine?
>
> No, I think you need the host key on the forwarded-to (server) machine.  And
> you need GSSAPIAuthentication in the ssh config on both the client and
> server, and GSSAPIDelegateCredentials on the client.  And "afs-use-524 = 2b"
> in your krb5.conf.  You also need the equivalent of aklog on the server
> side, which the appropriate pam module can do for you (I don't use pam).
> And if you're doing X forwarding and your home directory is in afs, you'll
> need to move the Xauthority file to the local disk.
>   
Thanks for the clues, I am probably missing the host principal. I did
try various settings of the GSSAPI ssh config parameters, but they
didn't seem to change the behavior. For the host principle, do I need to
have those in keytabs?

I searched for documentation and found all sorts of stuff, but most of
it was about older versions of OpenSSH and OpenAFS and didn't apply any
longer. That added to the confusion, and then there are the other
related confusion factors, like getting tokens associated with the
userid instead of a pag, or accidentally available to sshd, so stuff
seems to work for one user anyway until sshd restarts, or sshd and pam
claim to get tickets and tokens and then loses them, privilege
separation, ....

It really was simpler (back in the day), when all that you had to do was
add one option to OpenSSH and poof you had tokens....


Thanks,

Ken

> This is probably all documented somewhere.
>
> I think it would be nice if you could use ssh credentials for the login
> authentication, and still delegate the kerberos ticket.  Then you wouldn't
> need the host key on the server.  But this is apparently considered a
> problem.
>
> Even nicer would be token forwarding, like we had back in the good old days.
> That would make it easier for those of us who need tokens in multiple cells.
> But you can't have everything.
>