[OpenAFS-port-darwin] Re: sshd with afs tokens? (bil)

Henry B. Hotz hotz@jpl.nasa.gov
Thu, 14 Aug 2003 15:17:23 -0700 

At 12:01 PM -0400 8/4/03, port-darwin-request@openafs.org wrote:
>Message: 1
>Date: Fri, 01 Aug 2003 16:23:20 -0400
>From: bil <bil_hays@unc.edu>
>To: port-darwin@openafs.org, krbdev@mit.edu
>Subject: [OpenAFS-port-darwin] sshd with afs tokens?
>
>Does anyone out there have any pointers on getting afs tokens via sshd for
>remote login, either via including afs/kerberos in the ssh build, or via
>pam?
>
>Here's what we've tried (apologies in advance for my ignorance of the unix
>level) with the sshd, trying to build with afs and kerberos.
>
>*The included sshd doesn't seem to include support for kerberos 4 and afs.
>
>*Got some help from our apple engineer, who got some instructions from a
>fellow at the fermilab on building openssh against kerberos5 (but we're a
>kerberos4 /afs shop). That helped us run down the road until we hit the
>first tree.

The MIT kerberos 5 included with OSX supports kerberos 4 and the afs 
string to key function.  You should be able to build ssh against the 
installed kerberos as long as you put the right stuff in the 
/Library/Preferences/edu.mit.Kerberos file.  You can test this 
independently of ssh with just a kinit.  As an example, the following 
should be sufficient to work with JPL's AFS kaserver:

[libdefaults]
         default_realm = JPL.NASA.GOV
[v4 realms]
         JPL.NASA.GOV = {
                 kdc = eis-fil-afsdb08.jpl.nasa.gov
                 kdc = eis-fil-afsdb09.jpl.nasa.gov
                 kdc = eis-fil-afsdb10.jpl.nasa.gov
                 kpasswd_server = kerberos.jpl.nasa.gov
                 default_domain = jpl.nasa.gov
                 string_to_key_type = afs_string_to_key
         }
[v4 domain_realm]
         .jpl.nasa.gov = JPL.NASA.GOV
         jpl.nasa.gov = JPL.NASA.GOV

I suggest you try getting the native kinit to work first.  Then you 
can go back and build ssh "right" and do without the kth-krb stuff.

Nothing against the KTH stuff you understand.  I like what those guys 
are doing a lot.  Just that you don't need that much extra stuff. 
Also I expect the kerberos support in ssh to be turned on in Panther 
(10.3) so you won't need a special build of that either.

>*Ideally, we'd like to get this to work with the built in kerberos, but
>sshd wouldn't build against it, said there was a missing library. Make
>failed tho since it couldn't find kafs.h.
>
>*Installed KTH-krb, that went ok, and got opssh to make against that and
>got it running, but now it seems to be failing because we don't have the
>kerberos services registered (sshd debug line is "Kerberos v4 TGT for xxxx
>unverifiable: (null); rcmd.gilgamesh not registered, or srvtab is wrong?").

sshd will need a srvtab/keytab file to work with Kerberos 
authentication.  That's fundamental to the design.  You need to get 
it from your AFS guys.

>Any ideas?
>
>tia,
>bil

-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu