ftpd and AFS tickets
Austin Gonyou
austin at coremetrics.com
Wed Apr 24 12:15:49 EDT 2002
I just shared info with Turbo about how to get Kerberized SSHD doing
both password and Kerberos logins through PAM. Maybe he will give it to
you. If not, I'll be releasing a *step-by-step* guide how to get a
test-bed working with all the pieces you're talking about, and of course
welcome other docs as well. Hopefully within a week I'll have it
finalized for release, and help those as confused as I was about how
this *should* work.
On Wed, 2002-04-24 at 09:34, Ken Hornstein wrote:
> >I get logged in with entering password/passhprase, so GSSAPI works.
> >But I have no ticket, not even if requesting a forwardable and/or
> >proxiable ticket on my client at home.
> >
> >Since I don't have a ticket, I can't get a token either... So this
> >GSSAPI isn't working, or I'm making a big mistake somewhere...
>
> It sounds like your credentials aren't being forwarded across the
> connection (which is a different operation than just authentication).
> I'm not sure what triggers that in ssh; ssh people will have to speak
> up about that.
>
> > Ken> Are users typing cleartext passwords inside of ssh?
> >
> >Ehm... Hu?
>
> I take that as a "no".
>
> > >> But how about the kerberized FTP/Telnet clients/daemons?
> >
> > Ken> We have special versions here that make calls to
> > Ken> setpag()/aklog after tickets have been forwarded so you
> > Ken> always get an AFS token automatically.
> >
> >Got a patch I can get? PLEASE!?!?! :)
>
> Well ... right now the working patch is for an old version of MIT
> Kerberos.
> I'm in the middle of upgrading everything, but it's all busted now.
>
> Conceptually, the patch is very easy; in login.krb5, just run aklog if
> credentials exist. Probably you could do it in an afternoon.
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
--
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com
"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20020424/93a963c3/attachment.bin
More information about the Kerberos
mailing list