Openssh + AFS

Rainer Laatsch Laatsch at
Thu May 29 02:37:35 EST 2008

The real problem is, you need a prior authentication (e.g. ssh-key) before
the ssh delivers needed creds (gssapi). The k5start concept brought me to
this solution:
I have a valid ticket in $HOME/.ssh/krb5cc.$user (protected in AFS).
Now ssh $Buser at host
 there being put under pam;
/etc/pam.d/sshd starts with:
auth            sufficient debug ignore_root \
program=/afs/zaik/public/AuthScript progparams=$USER

The AuthScript contains:
# called from PAM auth sshd
 KRB5CCFILE=`echo $KRB5CCNAME | sed -e 's/FILE://'`
[ "$user" == "" ] && exit 101
 echo "$KRB5CCFILE" | grep ^/tmp/ >/dev/null || exit 102
 umask 0177
/usr/bin/ssh -i $PubKey root at $user $KRB5CCNAME
exit $rc

The PubKey has a forced command:
command="/root/noaccess/GrantKrbTkt" ......

that contains:
[ "$1" != "UNDERPAG" ] && exec /usr/afsws/bin/pagsh -c "exec $0 UNDERPAG
## hidden method to get admin token here ###
user=`echo $SSH_ORIGINAL_COMMAND | awk '{print $1}'`
KRB5CCNAME=`echo $SSH_ORIGINAL_COMMAND | awk '{print $2}'`
[ "$user" == "" ] && exit 13
TkFile=`getent passwd $user | cut -d: -f6`/.ssh/krb5cc.$user
if [ -s $TkFile ] ; then
export KRB5CCNAME=FILE:$TkFile
/opt/krb5/bin/kinit -R ; rc=$?
chown $user $TkFile
[ "$rc" -eq 0 ] && cat $TkFile
echo " NO file $TkFile" >&2
exit $rc

Voila; admin got me a credential. Doing ssh under Pam decouples
the admin token from the user.

Best regards,
Rainer Laatsch

On Tue, 27 May 2008, Michael Loftis wrote:

> I run sshd under k5start so it can obtain tokens to read public-key files
> from users.  The ACLs are set by default to allow the daemon RO access.
> Users still need to use GSS-API though or they get 'forced out in the
> behind' as you call it when they can't access their homedir.

More information about the openssh-unix-dev mailing list