OPenAFS and OpenSSH replacing kafs

Douglas E. Engert deengert at
Sat Feb 28 10:23:38 EST 2004

Would OpenSSH be willing to accept a modification similar to the one 
below to replace the kafs modification to get an AFS PAG and token?

The nice features of this are that it can be compiled in 
even if OpenAFS is not available. At runtime if the
dynamic library is present, it can be loaded and called.
A dynamic lib is used so the setpag is in the same process. 

It has been reported that the kafs code does not work with 
delegated gssapi credentials in OpenSSH-3.8. I have not had
this problem as I used a different method which this mod is 
based on. This proposed change would replace the calls to kafs.  

OpenAFS could then distribute the dynamic library, that would
get a PAG and fork/exec some program like aklog, or afslog to
actually get the token.  

The aklog or afslog could be distributed by OpenAFS or some
Kerberos vendor. 

The routine loaded is the get_afs_token routine that I proposed
last week but without the -setpag "kernel hack". It would have
setpag code added to it instead and this runs in the current
process avoiding the need to set the PAG in the parent process.   

The following compiles but I have not tested it. I am looking
for comments.

 Would OpenSSH be willing to add such a mod?

 Would OpenAFS be willing to distribute the dynamic library?
 ( I have sent this same message to the openafs-devel list yesterday
  but have not received and comments.)

 Would the Kerberos developers be willing to provide the 
 aklog  or afslog that accepted -p <path>  and an environment
 with the KRB5CCNAME in it?   

--- ,session.c	Mon Feb 23 07:01:27 2004
+++ session.c	Thu Feb 26 14:10:39 2004
@@ -58,9 +58,13 @@
 #include "session.h"
 #include "monitor_wrap.h"
+#ifdef ANL_AFS_PAG
+#include <dlfcn.h>
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -1453,6 +1457,28 @@
 	environ = env;
+#ifdef ANL_AFS_PAG
+	/* Get PAG and AFS token using external program and KRB5CCNAME */
+	if (options.kerberos_get_afs_token) {
+		void * handle;
+		int (*get_afs_token)(char * pgm, char ** env, 
+				char *homedir, int setpag);
+		debug("Getting AFS PAG and token");
+		handle = dlopen("/usr/lib/",0); /* needs a better location */
+		if (handle) {
+			get_afs_token = dlsym(handle, "get_afs_token");
+			if (get_afs_token) { 
+				debug("calling get_afs_token");
+				(*get_afs_token)(NULL, env, pw->pw_dir, 1);
+			}
+			dlclose(handle);
+		}
+	}
 #if defined(KRB5) && defined(USE_AFS)
 	 * At this point, we check to see if AFS is active and if we have
@@ -1477,6 +1503,7 @@
 		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
 	/* Change current directory to the user\'s home directory. */

More information about the openssh-unix-dev mailing list