SSH with K5/AFS: anyone?
Sensei
passwordless ssh trusting the k5 tickets and granting the access to afs
using aklog (pam_openafs_session).
I have these configuration: server with debian stable, ssh 3.6 ---
clients with gentoo ssh 3.9, nothing seems to work properly. I tried
some solutions:
- UsePAM yes PasswordAuthentication yes does not work
- Kerberos* yes does not work
- Kerberos* yes GSSAPI* does not work
- PriviledgeSeparation no/yes does not work
- ...
I don't have an idea. I waited till ssh 3.9, but nothing.
Has anyone *EVER* succeeded in using passwordless ssh with kerberos and afs?
--
Sensei <mailto:sens...@tin.it>
The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow is monday". (Gustave Flaubert)
Douglas E. Engert
Sensei wrote:
> Hi. I don't have luck with SSH and K5/AFS. I'm trying to make a
> passwordless ssh trusting the k5 tickets and granting the access to afs
> using aklog (pam_openafs_session).
>
> I have these configuration: server with debian stable, ssh 3.6 ---
> clients with gentoo ssh 3.9, nothing seems to work properly. I tried
> some solutions:
>
> - UsePAM yes PasswordAuthentication yes does not work
> - Kerberos* yes does not work
> - Kerberos* yes GSSAPI* does not work
> - PriviledgeSeparation no/yes does not work
> - ...
>
> I don't have an idea. I waited till ssh 3.9, but nothing.
See http://bugzilla.mindrot.org/show_bug.cgi?id=918
as a start.
>
> Has anyone *EVER* succeeded in using passwordless ssh with kerberos and afs?
>
Yes use it all the time with gssapi. But we have a local mod to
get the PAG and token. The above patch to 3.9 should allow the
pam_openafs_session to see the KRB5CCNAME, or is a start so the
pam_openafs_session can be convertd to a pam_sm_setcred to
use the KRB5CCNAME in all cases.
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Sensei
> See http://bugzilla.mindrot.org/show_bug.cgi?id=918
Ok, but it doesn't work. Not with the patch, not with gssapi, not with
pam, not with anything.
> Yes use it all the time with gssapi.
So how it comes you have it working? What are your settings? I'm quite
bored of seeing openssh treated as a dumb guy since version 3.4 --- it
was perfect and it worked. It's a shame it does not work except for
debian stable.
Can you tell me how?
Jens Kleineheismann
Sensei <no...@nowhere.org> wrote:
> Hi. I don't have luck with SSH and K5/AFS. I'm trying to make a
> passwordless ssh trusting the k5 tickets and granting the access to afs
> using aklog (pam_openafs_session).
I had problems too, after upgrading openssh from 3.6 to 3.8, that
drive me crazy for weeks. I am still testing, if everything works
allright now, but it seems good.
I don't know, if it is the same thing on your site, because I use
different pam modules and maybe have a different setup at all.
But maybe it can help you.
At my setup, the kerberos ticket is acquired within pam_authenticate()
and stuffed into memory. Then, within pam_open_session() it will be
written to the disk and aklog will be called.
Therefor pam_sm_open_session() must know about KRB5CCNAME and must
have access to the ticket, that is hold in the memory. These things
come from pam_sm_authenticate().
Since openssh 3.7xx the pam_authenticate() stuff and the
pam_open_session() stuff will be done by separated children (no matter
if UsePrivilegeSeparation yes or no).
So the pam functions cannot communicate with each other via the pam
environment.
Unfortunately AFAIK there is still no proper solution for that. The
only workaround I know, is to compile openssh with USE_POSIX_THREADS
and link it against libpthread. But this is not recommended by the
openssh folks.
To do so, add '--with-cppflags=-DUSE_POSIX_THREADS' and
'--with-libs=-lpthread' to the options of the ./configure script.
A second problem is, that the gssapi authentication method has changed.
Our old openssh progs are patched with the gssapi stuff from Simon
Wilkinson and announce a 'gssapi' authentication.
The new openssh progs announce a 'gssapi-with-mic' authentication.
> Has anyone *EVER* succeeded in using passwordless ssh with kerberos
> and afs?
As said, between my new openssh 3.8.1p1 machines it seems to work.
To be complete, I use a modified pam_krb5-2.0.4 (source is from
RedHats RPM), where the libkrbafs stuff is replaced by aklog stuff.
hope this helps,
heinzel =u}
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s-:-- a- C++(---) UL++++$ P--- L+++ E--- W(--) N++ o? K? w---
O M- !V PS+++ PE Y+ PGP+ t 5- X- R* tv-- b++ DI-- D---- G e h++ r@ !y
------END GEEK CODE BLOCK------
Douglas E. Engert
Sensei wrote:
> Douglas E. Engert wrote:
>
>>See http://bugzilla.mindrot.org/show_bug.cgi?id=918
>
>
> Ok, but it doesn't work. Not with the patch, not with gssapi, not with
> pam, not with anything.
>
>
>>Yes use it all the time with gssapi.
>
>
> So how it comes you have it working? What are your settings?
Since you are hiding your identity, I am reluctent to continue this
discussion. If you want help, you will need to show others on this list
what you have done first.
> i'm quite
> bored of seeing openssh treated as a dumb guy since version 3.4 --- it
> was perfect and it worked. It's a shame it does not work except for
> debian stable.
>
> Can you tell me how?
Based on your other messages to this list, your Kerberos environment
is not setup correctly. You will need that first.
Sensei
> Since you are hiding your identity, I am reluctent to continue this
> discussion. If you want help, you will need to show others on this list
> what you have done first.
You can use my academic mail mili...@dia.uniroma3.it but I cannot use
it outside my university. So, I began to use my personal account. That's
it. Moreover, who cares who I am and why would he care? :)
Anyway, the situation is this: two ssh which are NOT compatible as I
learned. The 3.4 version can't compile on new systems since it relies on
cyrus-sasl 1.5, while on the client side I use the new 2.1 version. Now,
I wonder if it's possible to make all the ssh 3.9 work with kerberos.
On this side, pam is set up with debian stable modules on ALL systems
(client and server, debian and gentoo --- I recompiled them). So, at
login, I get authenticated via pam_krb5, the optional sessions pam_krb5
and pam_openafs_session are executed when someone uses a kerberos/afs
account. The tickets are forardable, renewable, proxiable. The afs
tokens have no such flags.
SSH should simply forward the TGT ticket holded by the principal, then
grant the access since the kerberos tickets are a trusted authentication
method. Now, after granting the access, the tickets should be kept in
the kerberos cache and open a pam_krb5 session. After that, the
pam_openafs_session pam session has to run aklog and transform the
ticket in a token.
I usually use openssh on the client side from gentoo's portage, but I
tried to compile it myself. Nothing. Always a password (keyboard
interactive).
> Based on your other messages to this list, your Kerberos environment
> is not setup correctly. You will need that first.
The only thing is really set up correctly is kerberos and afs... and
that's _sure_. The last post is about something really strange on debian
stable: it always worked and now I don't see why it shows the strange
message about the kerberos library... I didn't change anything. Anyway,
it's just the slave kdc, not the master. The main servers are really
working.