dfs/dce and openssh

Douglas E. Engert deengert at anl.gov
Fri May 11 09:45:54 EST 2007 


Perry Smith wrote:
> 
> On May 10, 2007, at 6:01 PM, Douglas E. Engert wrote:
> 
>>
>>
>> Simon Wilkinson wrote:
>>> On 10 May 2007, at 12:21, Douglas E. Engert wrote:
>>>> Perry Smith wrote:
>>>>> I searched google and did not find any hits on this being solved.
>>>>>
>>>>> I want to get ssh so I can the dsa/rsa style password it in an
>>>>> environment that uses dfs/dce authentication if that is possible (and
>>>>> it has not already been solved).  In other words, I want to be able
>>>>> to log into a host as a dfs/dce user without typing my password.
>>>>
>>>>
>>>> DCE uses Kerberos 5, so the GSSAPI code in SSH should work. Delegation
>>>> should also work, so you can get tickets for DFS.
>>> The problem here is that you can't use OpenSSH's DSA/RSA key-based 
>>> authentication and still have credentials on the machine that you've 
>>> logged in to. I don't know enough about DCE to be able to comment on 
>>> that specific case, but in a standard Kerberos environment, you'd 
>>> need to run 'kinit' after login in order to have credentials. There's 
>>> no way (that I'd want to deploy) of getting around this.
>>
>> DFS is like AFS on steroids, but you need Kerberos tickets to access DFS.
>> So the answer to "I want to be able to log into a host as a dfs/dce user
>> without typing my password." is no.  But with GSSAPI and Kerberos
>> you should only have to do this once a day (kinit), on the machine in
>> front of you.
>> (I have not used DCE/DFS in about 5 years when we turned it off and went
>> back to AFS.) DCE had an early Kerberos PKINIT support, so you might be
>> able to use PKINIT to avoid typing a password.
> 
> I'm pretty sure that somehow Apple has managed to solve this problem.  
> They authenticate with Kerberos and I can log from system A to system B 
> using ssh. 


So do a klist and see if you have tickets.  Look to see if you have an
environment variable KRB5CCNAME


  There may be two problems here...
> 
> One problem is my home directory in the Apple environment is local to 
> each machine.  So my .ssh directory and authorized_keys are available to 
> the root (or sshd) process.   In my current dfs environment, my home 
> directory is 
> on dfs so root can not get to it.  

Correct, you or root need Kerberos tickets to access DFS.

> So, one problem is getting accessed 
> to my .ssh/authorized_keys.

You could set the DFS ACL on the file to world readable,
or readalbe by selected hosts.

But you should also check with your ADMIN about how they configure
SSH on DCE clients and servers.


> 
> The other problem is getting the ticket passed from one place to the 
> other -- but that should work if I am understanding all of this correctly.

Yes that is the SSH  GGSSAPIDelegateCredentials yes
> 
> Perry Smith ( pedz at easesoftware.com )
> Ease Software, Inc. ( http://www.easesoftware.com )
> 
> Low cost SATA Disk Systems for IBMs p5, pSeries, and RS/6000 AIX systems
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list