Re: [OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos

[Andreas Haupt <ahaupt@ifh.de>]

On Mon, 26 Jan 2004, Douglas E. Engert wrote:
> Andrei Maslennikov wrote:
> >
> > We have implemented the strategy similar to the one that Douglas suggested
> > in his posting. In our case (Heimdal) we allow user to login using his/her
> > K5 password and then call Heimdal "afslog" inside session.c:
> >
> >         system("/usr/sshutils/sbin/afslog >/dev/null 2>&1");

On a PAM aware system this should not be needed. We use pam_krb5
(http://sourceforge.net/projects/pam-krb5/). It works with password
authentication and stores the K5/4 TGT and AFS token. When doing GSSAPI
authentication it automatically converts the forwarded credentials to a K4
TGT and obtains the AFS token.

The only trick we had to do was to link OpenSSH against libpthread which
is no configure option and to set KRB5CCNAME to FILE:/tmp/krb5cc_*.
Normally the ssh just stores it to /tmp/krb5cc_*.

> > What we were yet unable to achieve is the further K5 credentials
> > forwarding in case of login via the K5 password. What happens is the
> > following:
> >
> >   1) ssh to host A, login with K5 password (and obtain a PAG-based token)
>
> Was the ticket marked forwardable?  Can you set with Hiemdal in the
> krb5.conf file a default that tickets should be forwardable?

Yes, in krb5.conf simply set

[libdefaults]
forwardable = true

Greetings
Andreas

-- 
| Andreas Haupt                      | E-Mail:  andreas.haupt@desy.de
|  DESY Zeuthen                      | WWW:     http://www.desy.de/~ahaupt
|  Platanenallee 6                   | Phone:   +49/33762/7-7369
|  D-15738 Zeuthen                   | Fax:     +49/33762/7-7216