[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MITKerberos
Andreas Haupt
ahaupt at ifh.de
Tue Jan 27 18:20:23 EST 2004
On Mon, 26 Jan 2004, Douglas E. Engert wrote:
> Andrei Maslennikov wrote:
> >
> > We have implemented the strategy similar to the one that Douglas suggested
> > in his posting. In our case (Heimdal) we allow user to login using his/her
> > K5 password and then call Heimdal "afslog" inside session.c:
> >
> > system("/usr/sshutils/sbin/afslog >/dev/null 2>&1");
On a PAM aware system this should not be needed. We use pam_krb5
(http://sourceforge.net/projects/pam-krb5/). It works with password
authentication and stores the K5/4 TGT and AFS token. When doing GSSAPI
authentication it automatically converts the forwarded credentials to a K4
TGT and obtains the AFS token.
The only trick we had to do was to link OpenSSH against libpthread which
is no configure option and to set KRB5CCNAME to FILE:/tmp/krb5cc_*.
Normally the ssh just stores it to /tmp/krb5cc_*.
> > What we were yet unable to achieve is the further K5 credentials
> > forwarding in case of login via the K5 password. What happens is the
> > following:
> >
> > 1) ssh to host A, login with K5 password (and obtain a PAG-based token)
>
> Was the ticket marked forwardable? Can you set with Hiemdal in the
> krb5.conf file a default that tickets should be forwardable?
Yes, in krb5.conf simply set
[libdefaults]
forwardable = true
Greetings
Andreas
--
| Andreas Haupt | E-Mail: andreas.haupt at desy.de
| DESY Zeuthen | WWW: http://www.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7369
| D-15738 Zeuthen | Fax: +49/33762/7-7216
More information about the openssh-unix-dev
mailing list