[OpenAFS-port-darwin] Tokens on login via ssh?

Henry B. Hotz hotz@jpl.nasa.gov
Thu, 4 May 2006 13:31:31 -0700 

On May 4, 2006, at 11:37 AM, bil wrote:

>
>
> --On Thursday, May 4, 2006 10:31 AM -0700 "Henry B. Hotz"  
> <hotz@jpl.nasa.gov> wrote:
>> Second, is your script using programs linked against Heimdal?  If  
>> so  you
>> can put
>>
>> [libdefaults]
>> 	default_cc_name = API:
>>
>> in your krb5.conf and probably force it to use the in-memory  
>> ccache.   As
>> long as KRB5CCACHE (or whatever it is) is set properly it  shouldn't
>> matter much.  What you really care most about is that the  ccache be
>> different for each ssh session and from the console.
>
> That I can't answer, since it the old aklog_tiger binary from CMU.  
> I asked Chaskiel about the source code last week, but he couldn't  
> remember which source he based it on.

aklog was only updated to build against Heimdal very recently.  The  
KTH guys have had an equivalent program called afslog.

>> Actually, it looks like that ccache name is being generated by ssh
>> itself, so that trumps what I just said.
>
> Yes, a friend suggested I look at ssh's source, since he thought  
> the ccache location was specified there. Sure enough, it looks like  
> sshd is generating the entry.
>
> So, just for grins I hacked openssh-4.3p2's auth-krb5.c file,  
> changing:
> 	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
> to:
> 	    "API:Initial default ccache", geteuid());
>
> With sshd in debug mode, that seems to have fixed the problem I had  
> getting k4/afs tokens via the system.login.tty key. But I think  
> I've just fallen down the same old rabbit hole, since it doesn't  
> work with ssh in regular mode--I'm guessing that this goes to the  
> same thing that broke the pam modules.
>
> Thanks in advance for patience in going over what must be old  
> ground for most of you....

Not that old.  Tiger has generated a lot of new, similar problems.  I  
will say that I was pleased with the amount of information I got from  
exercising a DTS incident with Apple.

Will be putting it together in a presentation for the AFS&KBP  
workshop at UMICH.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu