OpenSSH with latest GSSAPI patch now storing credentials !

Simon Wilkinson sxw at dcs.ed.ac.uk
Wed Mar 27 13:21:58 EST 2002 

Someone (please at nospam.net) wrote:
: Just a little remark, I am running sshd in debugging mode and the :

: debug1: No GSSAPI credentials stored

: message, still appears, I think it shoudln't appear anymore.

Right. In order to under stand why this message is correct, you need to
know a bit about how these patches are structured.

There are 3 ways you can use Kerberos to authenticate to a ssh server:

1) Enter your password at the prompt
2) Use a previously gained TGT, over the Kerberos support in protocol v1
3) Use a previously gained TGT with the GSSAPI support in protocol v2

Each of these use different code paths, which its desirable to keep seperate
(not least because it should increase the chances of at least some of the
code being accepted into OpenSSH).

So, you will only have "GSSAPI" credentials stored if you have used option
3 to authenticate. If you've entered a password, or used protocol v1, your
credentials get to disk in a different way.

: Now I have a question, did you implement an option or something similar 
: so that it is possible to always get a forwardable ticket when logging 
: in with SSH ? Is that possible ?

Its possible. I personally don't use auth_krb5_password (we use
pam_krb5 for password authentication). The patch below should provide
the functionality you require (thanks to Nathan Neulinger for the patch). 

However, is this overiding something that should be set in a kerberos
config file? What do other applications do?

Cheers,

Simon

*** auth-krb5.c.orig	Wed Mar 27 18:22:25 2002
--- auth-krb5.c	Wed Mar 27 18:23:56 2002
***************
*** 241,246 ****
--- 241,247 ----
  #ifndef HEIMDAL
  	krb5_creds creds;
  	krb5_principal server;
+ 	krb5_get_init_creds_opt koptions;
  	char ccname[40];
  	int tmpfd;
  #endif	
***************
*** 280,287 ****
  		goto out;
  
  #else
  	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
! 	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
  	if (problem)
  		goto out;
  
--- 281,291 ----
  		goto out;
  
  #else
+ 	krb5_get_init_creds_opt_init(&koptions);
+ 	krb5_get_init_creds_opt_set_forwardable(&koptions,1);
  	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
! 	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, 
! 	    &koptions);
  	if (problem)
  		goto out;

More information about the Kerberos mailing list