[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: Re: [OpenAFS-devel] OpenSSH, OpenAFS,
From: Andreas Haupt <ahaupt () ifh ! de>
Date: 2004-01-27 7:20:23
Message-ID: Pine.LNX.4.58.0401270808540.15028 () fuchur ! ifh ! de
[Download RAW message or body]
On Mon, 26 Jan 2004, Douglas E. Engert wrote:
> Andrei Maslennikov wrote:
> >
> > We have implemented the strategy similar to the one that Douglas suggested
> > in his posting. In our case (Heimdal) we allow user to login using his/her
> > K5 password and then call Heimdal "afslog" inside session.c:
> >
> > system("/usr/sshutils/sbin/afslog >/dev/null 2>&1");
On a PAM aware system this should not be needed. We use pam_krb5
(http://sourceforge.net/projects/pam-krb5/). It works with password
authentication and stores the K5/4 TGT and AFS token. When doing GSSAPI
authentication it automatically converts the forwarded credentials to a K4
TGT and obtains the AFS token.
The only trick we had to do was to link OpenSSH against libpthread which
is no configure option and to set KRB5CCNAME to FILE:/tmp/krb5cc_*.
Normally the ssh just stores it to /tmp/krb5cc_*.
> > What we were yet unable to achieve is the further K5 credentials
> > forwarding in case of login via the K5 password. What happens is the
> > following:
> >
> > 1) ssh to host A, login with K5 password (and obtain a PAG-based token)
>
> Was the ticket marked forwardable? Can you set with Hiemdal in the
> krb5.conf file a default that tickets should be forwardable?
Yes, in krb5.conf simply set
[libdefaults]
forwardable = true
Greetings
Andreas
--
| Andreas Haupt | E-Mail: andreas.haupt@desy.de
| DESY Zeuthen | WWW: http://www.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7369
| D-15738 Zeuthen | Fax: +49/33762/7-7216
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic