similar to: [PATCH] Getting AFS tokens from a GSSAPI-delegated TGT

The attached patch removes the duplicated credentials cache generation code in auth-krb5.c and gss-serv-krb5.c, by turning it into a procedure which is then called by both sections of code. It's against the latest portable CVS tree. Cheers, Simon. -------------- next part -------------- Index: auth-krb5.c =================================================================== RCS file:

I'm using a OpenSSH 3.0.2p1 with the krb5 patch from <http://www.sxw.org.uk/computing/patches/openssh.html>. I'm getting KRB5CCNAME set to "" even though <http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98269278629018&w=2> mentions fixing it. This causes things like kinit to fail with a somewhat uninformative error message. The relevant sshd_config lines

Hi All. I'm looking for some help to merge an outstanding Kerberos credential cache change from OpenBSD into Portable. I don't know enough about Kerberos to figure out how that change should be applied for the non-Heimdal(?) code path. The outstanding diff is attached. Any volunteers? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4

Would OpenSSH be willing to accept a modification similar to the one below to replace the kafs modification to get an AFS PAG and token? The nice features of this are that it can be compiled in even if OpenAFS is not available. At runtime if the dynamic library is present, it can be loaded and called. A dynamic lib is used so the setpag is in the same process. It has been reported that the

Hello, I going to use ssh with Kerberos V5 support along with support for AFS. I don't want to use Kerberos V4 or AFS token passing. The only thing I need from AFS is creating an AFS token (using appropriate function from krb5 API) after user's authentication. It seems to me that such scenario is not much supported by the current code. Rather it is assumed only Kerberos 4 will be used

Hi All. Recently a change was merged from OpenBSD's sshd into Portable that implements a KerberosGetAFSToken option (patchset attached). This change causes compile errors with both MIT Kerberos and Heimdal (errors when compiled with MIT Kerberos below). I've figured out that the functions called in the new code are in Heimdal's libkafs, so adding -lkafs to the start for the

As far as I know this patch has no security implications -- I don't believe that allowing sshd to use get_local_name() (in canohost.c) on a connected socket to determine it's own fqdn will allow a malicious client (or router or dns server) to make it come to the wrong conclusion. But please let me know if you think I'm wrong. Please also let me know if you're just not interested

Hi Aurélien, Thanks for the idea! For Debian packages: 6.4-1 works 6.5-1 works 6.5-2 works 6.6-1 fails 6.6-5 fails So looks like something changed from 6.5 to 6.6... When I have time I'll figure out how to compile the upcall binary.

Time for a new cifs-utils release! The main change in this release is a set of cleanups to cifs.upcall to make it more efficient and work better with alternate style credcaches. No longer does it blithely stumble around in /tmp looking for credcaches. We now just use the default credcache that to which the krb5.conf points. Go forth and download!

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

Hi Jeff, Could you look at the following mailing list posting? https://lists.samba.org/archive/samba/2017-February/206468.html It looks like cifs.upcall has changed its behavior. As described in that post, I can mount with root / kerberos, but then cannot access with another user who has credentials. The logs indicate that cifs.upcall cannot find the kerberos ticket for the non-root user.

On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote: > Hi Jeff, > Could you look at the following mailing list posting? > > https://lists.samba.org/archive/samba/2017-February/206468.html > > It looks like cifs.upcall has changed its behavior. As described in > that post, I can mount with root / kerberos, but then cannot access with > another user who has

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

this is the proposed gssapi diff against OpenSSH-current (non-portable). note: if this goes in, the old krb5 auth (ssh.com compatible) will be removed. please comment. jakob Index: auth.h =================================================================== RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v retrieving revision 1.1.1.2 retrieving revision 1.3 diff -u -r1.1.1.2 -r1.3 --- auth.h

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================== "Minds are like parachutes. They only function when they are open." Sir James Dewar =============================================================== Release Announcements ===================== This is a bug fix release of the Samba 3.0 series.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================== "Minds are like parachutes. They only function when they are open." Sir James Dewar =============================================================== Release Announcements ===================== This is a bug fix release of the Samba 3.0 series.

please test Olaf Kirch's patch. it looks fine to me, but i don't to K5. i'd like to see this in the next release. thx -m -------------- next part -------------- --- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002 +++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002 @@ -73,18 +73,17 @@ * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

Chad William Seys via samba <samba at lists.samba.org> writes: > But when cifs-utils 6.4-1 is installed (from jessie) the different > user can access as expect. AFAIK there are no other differences besides > the cifs-utils version. Not counting any distro-specific patches it seems cifs.upcall only had 5 commits affecting it between these 2 releases: $ git log

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier