requesting advice on integrating openssh & solaris secure RPC

Ron Young ron at wiggins.isri.unlv.edu
Sun May 27 13:37:30 EST 2001 

Hi:

	I am new to the list and new to developing secure applications.
	I have been reading the archives to see if anyone has integrated
	openssh with solaris 8 secure RPC. It doesn't look like there is
	any support to do this openssh.

	I have started on a preliminary patch to openssh-2.5.2p2 to
	automatically authenticate secure rpc using the same password
	used by sshd to authenticate the user.

	Here is some brief background on our environment:

	    a collection of solaris fileservers and workstations.

	    home directories are mounted to workstations via secure RPC/NFS.
	    so users have to have their secure rpc authentication setup
	    as part of the session creation done by sshd.

	    all external sessions must connect using openssh and a password
	    (i.e. no authorized_keys allowed for first connection).

	    once connected to one of our systems, the user should not
	    have to re-enter their password.

	    whatever method is used should be transparent to user (i.e.
	    should not interfere with anything they may use: ssh-agents, 
	    port forwarding, etc...)

	I have the initial connection (with password) successfully working
	with secure RPC/NFS. My next step is to somehow get it so this
	carries over when the user connects to another workstation using
	authorized_keys to avoid having to re-enter their password.

	I have a couple of ideas that I would like some feedback on...

	1) generate a restricted command key that somehow contains the
	   information required to authenticate to secure NFS on the
	   new workstation.

	2) encrypt to the initial password used to access the system and
	   pass it along as an environment variable that the new workstation's
	   sshd would use.

	3) use the ssh-agent mechanism to store the secure rpc password
	   so that the ssh client can send it along to the new workstation's
	   sshd.

	any thoughts on whether the above are not recommended and/or how they
	should be implemented would be greatly appreciated.
	

	thanks

	-ron young

===============================================================================
Ron Young, Sr. Software Design Engineer & System Admin. (702) 895-1070 (voice)
Information Science Research Institute			(702) 895-1183 (fax)
University of Nevada, Las Vegas (UNLV/ISRI)		ron at isri.unlv.edu
Box 454021, Las Vegas, NV 89154

More information about the openssh-unix-dev mailing list