[OpenAFS-port-darwin] Tokens on login via ssh?
Henry B. Hotz
hotz@jpl.nasa.gov
Wed, 3 May 2006 13:13:50 -0700
The following assumes you are logging in with a password. I have not
tested any of this specifically, so be warned.
Authorization Services doesn't have the concept of a "session" plug-
in vs an "auth" plug-in, and I don't think the Kerberos loginLogout
plug-in gets called if it's just a forwarded tgt (though I might be
wrong on that and should test). If it does get called then that
would be very nice.
If Apple has fixed the "builtin:krb5login" method, then you should
modify /etc/authorization to:
<key>system.login.tty</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
<string>push_hints_to_context</string>
<string>authinternal</string>
<string>builtin:krb5login,privileged</string>
</array>
<key>tries</key>
<integer>1</integer>
</dict>
Then install Ragnar's Kerberos loginLogout plug-in. (Look earlier on
the openafs-dev list.)
If this doesn't work then you need to dl/install the kerberos
Authorization Services example plug-in from Apple. Apply the
following patch and make that "kerberos:login,privileged" in the
above mod.
> *** authplugin.c.orig Sat Mar 25 14:33:02 2006
> --- authplugin.c Sat Mar 25 14:37:08 2006
> ***************
> *** 58,64 ****
> return NULL;
> }
>
> ! static bool invoke(MechanismRef *mechanism, int mode)
> {
> bool verifyKDC = (mode == authenticate); // only in this
> mode require kdc to be authenticated
> bool successfulAuthentication = false;
> --- 58,64 ----
> return NULL;
> }
>
> ! static bool invoke(MechanismRef *mechanism, KerberosMode mode)
> {
> bool verifyKDC = (mode == authenticate); // only in this
> mode require kdc to be authenticated
> bool successfulAuthentication = false;
> ***************
> *** 181,186 ****
> --- 181,190 ----
> case kMechKerberosAuthenticateNoVerify:
> result = invoke(inMechanism, authnoverify);
> break;
> + case kMechKerberosLogin:
> + invoke(inMechanism, login);
> + result = kAuthorizationResultAllow;
> + break;
> default:
> return errAuthorizationInternal;
> }
On May 3, 2006, at 9:01 AM, port-darwin-request@openafs.org wrote:
> Message: 1
> Date: Tue, 02 May 2006 18:03:00 -0400
> From: bil <hays@ibiblio.org>
> To: port-darwin@openafs.org
> Subject: Re: [OpenAFS-port-darwin] Tokens on login via ssh?
>
>
>
> Ok, it's definitely the version of ssh. So I have a Tiger compatible
> pam_afs.so.1 that works with sshd 3.6.x, but not with 3.8 or later, if
> anyone's interested.
>
> But if anyone has a way of getting tokens in a k4 afs cell via a more
> recent sshd, I'd love to hear about it...
> tia,
> bil
>
>
>> -- __--__--
>>
>> Message: 1
>> Date: Mon, 01 May 2006 18:00:08 -0400
>> From: bil <hays@ibiblio.org>
>> To: port-darwin@openafs.org
>> Subject: [OpenAFS-port-darwin] Tokens on login via ssh?
>>
>>
>> I'm trying to get 10.4 systems to obtain afs tokens when a user
>> logs in
>> remotely via ssh. In the past I've done this with pam_afs.so.1. I've
>> managed to hack that from some source David Botsch provided for
>> 10.2 well
>> enough so that it builds, and when I install that module, it is
>> apparently authenticating against afs (since I can login, and the
>> password prompt is "AFS Password", and most importantly, if I
>> give it a
>> bad password I can't login). But I'm not getting tokens.
>>
>> This is against OpenSSH_3.8.1p1 provided in 10.4 against a K4 afs
>> cell.
>>
>> I have found some emails via google that suggest this behaviour
>> might be
>> due to the version of sshd (3.6 might work?), but I'd rather use a
>> more
>> recent ssh than that.
>>
>> I've been poking around for alternatives, but I figured before I
>> ran down
>> too many rabbit holes, I should ask, what are other folks doing
>> for this?
>> Is there a way to authenticate agains k4 or k5 and also get tokens?
>>
>> tia,
>> bil
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu