Openssh + AFS

Rainer Laatsch Laatsch at uni-koeln.de
Thu May 29 02:37:35 EST 2008


The real problem is, you need a prior authentication (e.g. ssh-key) before
the ssh delivers needed creds (gssapi). The k5start concept brought me to
this solution:
I have a valid ticket in $HOME/.ssh/krb5cc.$user (protected in AFS).
Now ssh $Buser at host
 there being put under pam;
/etc/pam.d/sshd starts with:
auth            sufficient      pam_runexec.so debug ignore_root \
program=/afs/zaik/public/AuthScript progparams=$USER

The AuthScript contains:
#!/bin/ksh
# called from PAM auth sshd
 user=$1
 KRB5CCFILE=`echo $KRB5CCNAME | sed -e 's/FILE://'`
[ "$user" == "" ] && exit 101
 echo "$KRB5CCFILE" | grep ^/tmp/ >/dev/null || exit 102
 umask 0177
 PubKey=/afs/zaik/public/servicekey
/usr/bin/ssh -i $PubKey root at hal.rrz.uni-koeln.de $user $KRB5CCNAME
>$KRB5CCFILE
rc=$?
exit $rc

The PubKey has a forced command:
command="/root/noaccess/GrantKrbTkt" ......

that contains:
#!/bin/ksh
[ "$1" != "UNDERPAG" ] && exec /usr/afsws/bin/pagsh -c "exec $0 UNDERPAG
$*"
shift
## hidden method to get admin token here ###
user=`echo $SSH_ORIGINAL_COMMAND | awk '{print $1}'`
KRB5CCNAME=`echo $SSH_ORIGINAL_COMMAND | awk '{print $2}'`
[ "$user" == "" ] && exit 13
rc=99
TkFile=`getent passwd $user | cut -d: -f6`/.ssh/krb5cc.$user
if [ -s $TkFile ] ; then
export KRB5CCNAME=FILE:$TkFile
/opt/krb5/bin/kinit -R ; rc=$?
chown $user $TkFile
[ "$rc" -eq 0 ] && cat $TkFile
else
echo " NO file $TkFile" >&2
fi
exit $rc

Voila; admin got me a credential. Doing ssh under Pam decouples
the admin token from the user.


Best regards,
Rainer Laatsch



On Tue, 27 May 2008, Michael Loftis wrote:

> I run sshd under k5start so it can obtain tokens to read public-key files
> from users.  The ACLs are set by default to allow the daemon RO access.
> Users still need to use GSS-API though or they get 'forced out in the
> behind' as you call it when they can't access their homedir.



More information about the openssh-unix-dev mailing list