problem with AFS token forwarding

Holger Trapp holger.trapp at hrz.tu-chemnitz.de
Tue Nov 20 18:19:08 EST 2001 

Hello,

I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1
concerning the AFS token forwarding. That means that the new versions are
not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH
releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this
problem already existed in Openssh 2.9.9p1, but I have never used this
version (I only looked at the source code when trying to find the reason
for the problem).

I already reported this problem to Markus Friedl (in German) and he gave
me the advice to report it to openssh-unix-dev at mindrot.org.

The reason for the problem is a reorganization of the source code. In
older OpenSSH versions the token was forwarded after the server had
authenticated to the client but BEFORE any user authentication. And I
think this is OK. The client knows that the server is authentic and can
send all tokens it has. This has the advantage that the server can use
these tokens and can access files in the AFS home directory of the user on
the server.

In the latest OpenSSH releases the token is only forwarded AFTER a
successful user authentication. That means that the older servers are in
function do_authenticated1() when the message of type 65
(SSH_CMSG_HAVE_AFS_TOKEN) arrives. This message is no longer accepted at
this point. Therefore the error message

  Unknown packet type received after authentication: 65

is to be found in the server logs.

It would be very helpful for us if the next OpenSSH release would solve
this interoperability problem because we still have some older SSH
installations. And as I wrote above we think it is the right way to
forward the token before the user authentication so that OpenSSH can e.g.
access $HOME/.ssh/authorized_keys in an AFS home directory.

Additionally I'd like to ask a question. Is it planned for future OpenSSH
releases to make AFS token and Kerberos TGT forwarding available for
version 2 of the SSH protocol as well? At least for our site (where AFS is
used very heavily) this would be a very helpful feature.

Cheers,
Holger

More information about the openssh-unix-dev mailing list