search for: aklog

...as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the OpenSSH sshd...

...k with delegated gssapi credentials in OpenSSH-3.8. I have not had this problem as I used a different method which this mod is based on. This proposed change would replace the calls to kafs. OpenAFS could then distribute the dynamic library, that would get a PAG and fork/exec some program like aklog, or afslog to actually get the token. The aklog or afslog could be distributed by OpenAFS or some Kerberos vendor. The routine loaded is the get_afs_token routine that I proposed last week but without the -setpag "kernel hack". It would have setpag code added to it instead and this r...

Hello everybody! I have the following problem using version 3.7.1p1 on redhat linux 7.3 and 9. We are running a system where users home directories reside on AFS. Up to and including version 3.6.1p2 we used Simon Wilkinson's gssapi patch in conjunction with a pam_module, which executed 'aklog', a program that converts a kerberos ticket to an AFS token. This does not work anymore with priv separation enabled. I had a look at the sources and found out, that the transferred Kerberos credentials got stored after the pam_session module was executed. I therefor created the attached small...

...on of the PAM configuration file. Everything works as expected when I log in as a user that has not yet obtained any Kerberos credentials. The pam_krb5 module successfully authenticates a user by prompting for a user name and password and obtains tickets. Then the pam_openafs_session module runs aklog and obtains AFS tokens. When connecting to the machine as a user who has already obtained valid Kerberos credentials, authentication occurs as expected (I?m not prompted for a password) but pam_openafs_session fails to obtain AFS tokens. I?m using ssh protocol 2, so token passing is not possible...

In an environment where users use smart cards to authenticate on Windows and then use ssh to login to UNIX systems via GSSAPI, it is nigh impossible to renew/refresh the Kerberos credentials in the UNIX session. If the user fails to renew their credentials before they expire, the user is stuck and must log out and log back in to get valid tickets. Meanwhile it is entirely likely that on the

.... -At 09:03 PM 9/4/1999 -0500, you wrote: >Sorry I haven't gotten back to you... > >I've had tremendous trouble with IRIX and alot of things, but basically, >all the code that matters is in source/passdb/pass_check.c. > >I've got local patches that make it work with aklog as well, but other >than that I'm pretty much running the same code. > >You might take a look at config.h and make sure that KRB5_AUTH was >defined. That will tell you. You can also try adding some debugging to >pass_check.c, since it currently doesn't say anything about kerb...

The native authentication methods of openssh are (not counting insecure RhostsRSAAuthentication) 1) public key 2) password For users with home dirs in AFS space, method 1) does not work. Except with (non foolproof) fiddling on the access controls within the home directory. This might lead to security issues when done by inexperienced users. Without some work, only 2) remains. Being forced to send

(I hope this message is appropriate for these lists. If not, please tell me and I won't do it again.) Hi All. There will be a new release of OpenSSH in a couple of weeks. This release contains Kerberos and GSSAPI related changes that we would like to get some feedback about (and hopefully address any issues with) before the release. I encourage anyone with an interest in

Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for