AFS and tokenforwarding

Bjoern Groenvall bg at
Thu Oct 4 05:26:55 EST 2001

>>>>> "mouring" == mouring  <mouring at> writes:

mouring> On 3 Oct 2001, Bjoern Groenvall wrote:

>>  I'm not sure I received the relevant emails pertaining to this
>> discussion. Are you talking about the problems with including the
>> required files under SunOS 5.7? Probably this is about some
>> different issue?
>> Cheers, Björn

I still feel I'm out of sync in this discussion so perhaps somebody
can correct me. Meanwhile I have to make some guesses!

I assume that the problem is that public key authentication does not
work in 

RCSID("$OpenBSD: sshconnect1.c,v 2001/09/27 19:03:55 jason Exp $");

if the keys are stored in an read protected AFS directory.

To make it possible for sshd to read those read protected files in
~/.ssh it is necessary to first forward a valid AFS token. That can be
achieved by moving the code:

        /* Try AFS token passing if the server supports it. */
        if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
            options.afs_token_passing && k_hasafs()) {
                if (options.cipher == SSH_CIPHER_NONE)
                        log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");

so that it happens before any files are accessed in the users home

I guess that is what Serges patch was designed to do.

>From a more general perspective one may reason that both AFS tokens
and krb{4,5} tickets should be forwarded early to allow for access to
files in remote home directories. I.e change the code to first forward
AFS tokens, then krb4 tickets, and then krb5 tickets. If tickets are
forwarded early, one must also be careful to handle ownership
correctly. This should not be a problem with tokens since they are
referenced via a PAG.

Objections anybody?


  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg at, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 

More information about the openssh-unix-dev mailing list