SSH with K5/AFS: anyone?

Sensei noone at nowhere.org
Fri Aug 27 11:15:57 EDT 2004 

Douglas E. Engert wrote:
> Since you are hiding your identity, I am reluctent to continue this
> discussion. If you want help, you will need to show others on this list
> what you have done first.

You can use my academic mail milicchio at dia.uniroma3.it but I cannot use 
it outside my university. So, I began to use my personal account. That's 
it. Moreover, who cares who I am and why would he care? :)

Anyway, the situation is this: two ssh which are NOT compatible as I 
learned. The 3.4 version can't compile on new systems since it relies on 
cyrus-sasl 1.5, while on the client side I use the new 2.1 version. Now, 
I wonder if it's possible to make all the ssh 3.9 work with kerberos.

On this side, pam is set up with debian stable modules on ALL systems 
(client and server, debian and gentoo --- I recompiled them). So, at 
login, I get authenticated via pam_krb5, the optional sessions pam_krb5 
and pam_openafs_session are executed when someone uses a kerberos/afs 
account. The tickets are forardable, renewable, proxiable. The afs 
tokens have no such flags.

SSH should simply forward the TGT ticket holded by the principal, then 
grant the access since the kerberos tickets are a trusted authentication 
method. Now, after granting the access, the tickets should be kept in 
the kerberos cache and open a pam_krb5 session. After that, the 
pam_openafs_session pam session has to run aklog and transform the 
ticket in a token.

I usually use openssh on the client side from gentoo's portage, but I 
tried to compile it myself. Nothing. Always a password (keyboard 
interactive).

> Based on your other messages to this list, your Kerberos environment
> is not setup correctly. You will need that first.

The only thing is really set up correctly is kerberos and afs... and 
that's _sure_. The last post is about something really strange on debian 
stable: it always worked and now I don't see why it shows the strange 
message about the kerberos library... I didn't change anything. Anyway, 
it's just the slave kdc, not the master. The main servers are really 
working.

-- 
Sensei <mailto:senseiwa at tin.it>

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)

More information about the Kerberos mailing list