SSH with K5/AFS: anyone?

Jens Kleineheismann jk at em.uni-karlsruhe.de
Fri Aug 27 06:01:31 EDT 2004 

Hej hej,

Sensei <noone at nowhere.org> wrote:
> Hi. I don't have luck with SSH and K5/AFS. I'm trying to make a 
> passwordless ssh trusting the k5 tickets and granting the access to afs 
> using aklog (pam_openafs_session).
I had problems too, after upgrading openssh from 3.6 to 3.8, that 
drive me crazy for weeks. I am still testing, if everything works 
allright now, but it seems good.

I don't know, if it is the same thing on your site, because I use 
different pam modules and maybe have a different setup at all.

But maybe it can help you. 

At my setup, the kerberos ticket is acquired within pam_authenticate()
and stuffed into memory. Then, within pam_open_session() it will be 
written to the disk and aklog will be called.
Therefor pam_sm_open_session() must know about KRB5CCNAME and must 
have access to the ticket, that is hold in the memory. These things 
come from pam_sm_authenticate().

Since openssh 3.7xx the pam_authenticate() stuff and the 
pam_open_session() stuff will be done by separated children (no matter 
if UsePrivilegeSeparation yes or no).
So the pam functions cannot communicate with each other via the pam
environment.

Unfortunately AFAIK there is still no proper solution for that. The 
only workaround I know, is to compile openssh with USE_POSIX_THREADS 
and link it against libpthread. But this is not recommended by the 
openssh folks.

To do so, add '--with-cppflags=-DUSE_POSIX_THREADS' and 
'--with-libs=-lpthread' to the options of the ./configure script.

A second problem is, that the gssapi authentication method has changed.
Our old openssh progs are patched with the gssapi stuff from Simon 
Wilkinson and announce a 'gssapi' authentication.
The new openssh progs announce a 'gssapi-with-mic' authentication.


> Has anyone *EVER* succeeded in using passwordless ssh with kerberos 
> and afs?
As said, between my new openssh 3.8.1p1 machines it seems to work.
To be complete, I use a modified pam_krb5-2.0.4 (source is from 
RedHats RPM), where the libkrbafs stuff is replaced by aklog stuff.


hope this helps,
	heinzel =u}



-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s-:-- a- C++(---) UL++++$ P--- L+++ E--- W(--) N++ o? K? w---
O M- !V PS+++ PE Y+ PGP+ t 5- X- R* tv-- b++ DI-- D---- G e h++ r@ !y
------END GEEK CODE BLOCK------

More information about the Kerberos mailing list