dfs/dce and openssh

Perry Smith pedz at easesoftware.com
Fri May 11 09:24:03 EST 2007 

On May 10, 2007, at 6:01 PM, Douglas E. Engert wrote:

>
>
> Simon Wilkinson wrote:
>> On 10 May 2007, at 12:21, Douglas E. Engert wrote:
>>> Perry Smith wrote:
>>>> I searched google and did not find any hits on this being solved.
>>>>
>>>> I want to get ssh so I can the dsa/rsa style password it in an
>>>> environment that uses dfs/dce authentication if that is possible  
>>>> (and
>>>> it has not already been solved).  In other words, I want to be able
>>>> to log into a host as a dfs/dce user without typing my password.
>>>
>>>
>>> DCE uses Kerberos 5, so the GSSAPI code in SSH should work.  
>>> Delegation
>>> should also work, so you can get tickets for DFS.
>> The problem here is that you can't use OpenSSH's DSA/RSA key-based  
>> authentication and still have credentials on the machine that  
>> you've logged in to. I don't know enough about DCE to be able to  
>> comment on that specific case, but in a standard Kerberos  
>> environment, you'd need to run 'kinit' after login in order to  
>> have credentials. There's no way (that I'd want to deploy) of  
>> getting around this.
>
> DFS is like AFS on steroids, but you need Kerberos tickets to  
> access DFS.
> So the answer to "I want to be able to log into a host as a dfs/dce  
> user
> without typing my password." is no.  But with GSSAPI and Kerberos
> you should only have to do this once a day (kinit), on the machine in
> front of you.
> (I have not used DCE/DFS in about 5 years when we turned it off and  
> went
> back to AFS.) DCE had an early Kerberos PKINIT support, so you  
> might be
> able to use PKINIT to avoid typing a password.

I'm pretty sure that somehow Apple has managed to solve this  
problem.  They authenticate with Kerberos and I can log from system A  
to system B using ssh.  There may be two problems here...

One problem is my home directory in the Apple environment is local to  
each machine.  So my .ssh directory and authorized_keys are available  
to the root (or sshd) process.  In my current dfs environment, my  
home directory is
on dfs so root can not get to it.  So, one problem is getting  
accessed to my .ssh/authorized_keys.

The other problem is getting the ticket passed from one place to the  
other -- but that should work if I am understanding all of this  
correctly.

Perry Smith ( pedz at easesoftware.com )
Ease Software, Inc. ( http://www.easesoftware.com )

Low cost SATA Disk Systems for IBMs p5, pSeries, and RS/6000 AIX systems

More information about the openssh-unix-dev mailing list