Openssh + AFS
mloftis at wgops.com
Wed May 28 06:10:58 EST 2008
--On May 27, 2008 7:34:42 PM +0200 Rainer Laatsch <Laatsch at Uni-Koeln.de>
> The native authentication methods of openssh are
> (not counting insecure RhostsRSAAuthentication)
> 1) public key
> 2) password
> For users with home dirs in AFS space, method 1) does not work.
> Except with (non foolproof) fiddling on the access controls within
> the home directory. This might lead to security issues when done
> by inexperienced users.
> Without some work, only 2) remains. Being forced to send the most
> intimate credential instead of an ssh-key is not that nice.
> The use of Krb5 ticket passing with GSS-API is thought to be useful.
> But the authentication is done 'under the hood'; the administrator
> has no chance to issue finer controls regarding then ticket contents.
> When the ticket is accepted but not sufficient to open up the home dir,
> the user must be forced out in the behind.
> I would like to propose an initial credential exchange phase. The client
> might send ticket, x509-creds, afs-tokens or whatever. This should not
> authenticate the user, but help in authentcation with other methods.
> If activation of these credentials allows access to the AFS home dir,
> standard ssh-key authentication can be done. So a double
> authentication is enforced: the credentials must be sufficient for AFS
> and an ssh-key (from within protected AFS space) authentication has to be
I run sshd under k5start so it can obtain tokens to read public-key files
from users. The ACLs are set by default to allow the daemon RO access.
Users still need to use GSS-API though or they get 'forced out in the
behind' as you call it when they can't access their homedir.
> Patches for a working example can be found in
> It implements AFS-Token-passing and Krb5-ticket-passing for protocol-2
> (adding X509-cred-passing should be easy).
> A flag 'AllowCredPassing' in the ssh config files might increase the
> acceptability for that.
> Best regards,
> Rainer Laatsch
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
More information about the openssh-unix-dev