[OpenAFS] ssh and afs

Charles Clancy security@xauth.net
Sat, 4 May 2002 13:54:27 -0500 (CDT)

> > > To clarify, the question Daniel was asking is how to do this when
> > > you're still running kaserver.
> >
> > Um, I think the answer is: you don't.
> There is a way to do this with the newer versions of OpenSSH, but it
> involves dorking with the structure of your ~/.ssh directory.

Another option is to use host keys rather than user ones.  You won't run
into ACL issues.  If you have a big network of workstations or some sort
of cluster, and want all your users to be able to SSH around without a
password, this is easier.

You need to set in sshd_config:
	RhostsAuthentication no
	RhostsRSAAuthentication yes
	HostbasedAuthentication yes
	AFSTokenPassing yes
	KerberosTgtPassing yes

Have a global /usr/local/etc/ssh_known_hosts with the host keys of all
your hosts.  Then, put all their host names in /etc/shosts.  OpenSSH will
allow logins between hosts in that file, and will also pass AFS and Krb4
tickets around too.

Of course, there's the argument that if one host gets hacked, the intruder
has access to all of them.  However, if all the machines are the same
setup, chances are that the same security hole exists in all the machines
anyway.  (Bad argument, I know...)

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]