OPenAFS and OpenSSH replacing kafs
Douglas E. Engert
deengert at anl.gov
Sat Feb 28 10:23:38 EST 2004
Would OpenSSH be willing to accept a modification similar to the one
below to replace the kafs modification to get an AFS PAG and token?
The nice features of this are that it can be compiled in
even if OpenAFS is not available. At runtime if the
dynamic library is present, it can be loaded and called.
A dynamic lib is used so the setpag is in the same process.
It has been reported that the kafs code does not work with
delegated gssapi credentials in OpenSSH-3.8. I have not had
this problem as I used a different method which this mod is
based on. This proposed change would replace the calls to kafs.
OpenAFS could then distribute the dynamic library, that would
get a PAG and fork/exec some program like aklog, or afslog to
actually get the token.
The aklog or afslog could be distributed by OpenAFS or some
Kerberos vendor.
The routine loaded is the get_afs_token routine that I proposed
last week but without the -setpag "kernel hack". It would have
setpag code added to it instead and this runs in the current
process avoiding the need to set the PAG in the parent process.
The following compiles but I have not tested it. I am looking
for comments.
Would OpenSSH be willing to add such a mod?
Would OpenAFS be willing to distribute the dynamic library?
( I have sent this same message to the openafs-devel list yesterday
but have not received and comments.)
Would the Kerberos developers be willing to provide the
aklog or afslog that accepted -p <path> and an environment
with the KRB5CCNAME in it?
--- ,session.c Mon Feb 23 07:01:27 2004
+++ session.c Thu Feb 26 14:10:39 2004
@@ -58,9 +58,13 @@
#include "session.h"
#include "monitor_wrap.h"
+#ifdef ANL_AFS_PAG
+#include <dlfcn.h>
+#else
#if defined(KRB5) && defined(USE_AFS)
#include <kafs.h>
#endif
+#endif
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -1453,6 +1457,28 @@
*/
environ = env;
+
+#ifdef ANL_AFS_PAG
+ /* Get PAG and AFS token using external program and KRB5CCNAME */
+ if (options.kerberos_get_afs_token) {
+ void * handle;
+ int (*get_afs_token)(char * pgm, char ** env,
+ char *homedir, int setpag);
+
+ debug("Getting AFS PAG and token");
+ handle = dlopen("/usr/lib/afs_get_token.so",0); /* needs a better location */
+
+ if (handle) {
+ get_afs_token = dlsym(handle, "get_afs_token");
+ if (get_afs_token) {
+ debug("calling get_afs_token");
+ (*get_afs_token)(NULL, env, pw->pw_dir, 1);
+ }
+ dlclose(handle);
+ }
+ }
+#else
+
#if defined(KRB5) && defined(USE_AFS)
/*
* At this point, we check to see if AFS is active and if we have
@@ -1477,6 +1503,7 @@
krb5_afslog_home(s->authctxt->krb5_ctx,
s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
}
+#endif
#endif
/* Change current directory to the user\'s home directory. */
More information about the openssh-unix-dev
mailing list