AFS and tokenforwarding

Serge Droz serge.droz at
Thu Oct 4 16:44:20 EST 2001

Ok, here the rational for my patch. I haven't looked at the krb5 stuff
and hope I didn't break anything there.

As you say, public key authentication doesn't work in the 2.9.9p2
This is becasue the AFS token get's passed too late, and sshd can't read 
the .ssh/* files on the remote system.

All I did (more or less) was to move the respective calls back to where
they where
in the pre 2.9.9p2 releases. 

I'm not sure why you think the tokens get passed unencrypted:

>ssh -v
OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
bla bla ....
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'llc1' is known and matches the RSA1 host key.
debug1: Found key in /afs/
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Remote: AFS token accepted (afs at, AFS ID 3789 at
debug1: Trying RSA authentication via agent with 'droz at'
debug1: Received RSA challenge from server.
debug1: Sending response to RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication accepted by server.
bla bla
Last login: Fri Sep 28 12:02:49 2001 from

> I still feel I'm out of sync in this discussion so perhaps somebody
> can correct me. Meanwhile I have to make some guesses!
> I assume that the problem is that public key authentication does not
> work in
> RCSID("$OpenBSD: sshconnect1.c,v 2001/09/27 19:03:55 jason Exp $");
> if the keys are stored in an read protected AFS directory.
> To make it possible for sshd to read those read protected files in
> ~/.ssh it is necessary to first forward a valid AFS token. That can be
> achieved by moving the code:
>         /* Try AFS token passing if the server supports it. */
>         if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
>             options.afs_token_passing && k_hasafs()) {
>                 if (options.cipher == SSH_CIPHER_NONE)
>                         log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
>                 send_afs_tokens();
> so that it happens before any files are accessed in the users home
> directory.
> I guess that is what Serges patch was designed to do.
> From a more general perspective one may reason that both AFS tokens
> and krb{4,5} tickets should be forwarded early to allow for access to
> files in remote home directories. I.e change the code to first forward
> AFS tokens, then krb4 tickets, and then krb5 tickets. If tickets are
> forwarded early, one must also be careful to handle ownership
> correctly. This should not be a problem with tokens since they are
> referenced via a PAG.
> Objections anybody?
> /Bjorn
> --
>   _     _                                               ,_______________.
> Bjorn Gronvall (Bjorn Gronvall)                        /_______________/|
> Swedish Institute of Computer Science                  |               ||
> PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
> Email: bg at, Phone +46 -8 633 15 25              |      Cat      |/
> Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------'

Serge Droz
Paul Scherrer Institut                mailto:serge.droz at
CH-5232 Villigen PSI                   Phone: ++41 56 310 3637
                                         Fax: ++41 56 310 3649

More information about the openssh-unix-dev mailing list