[OpenAFS] Passwordless login through ssh with pam/afs.

Walter Lamagna wlamagna@tenroses.com.ar
Wed, 14 Mar 2007 13:11:12 -0300

Thanks for your answer.  It is acceptable for me to doesnt have the
token when i ssh, the ~/.ssh directory in the users home (which is in
the AFS) is publicly readable.

But i do get this error when i want to ssh to the host:

pam_afs[26655]: AFS Won't use illegal password for user integra

Does pam_afs restricts the login because i am willing to use public key
with ssh ?


On Wed, 2007-03-14 at 08:55 -0700, Russ Allbery wrote:
> Walter Lamagna <wlamagna@tenroses.com.ar> writes:
> > Yes, i want to login to a server though ssh authenticating with public
> > key, using the authorized_keys2 file located in the users home
> > directory, i have this directive in sshd_config:
> > AuthorizedKeysFile  ~/.ssh/authorized_keys2
> > How can i do this ?
> Like that, with making that directory world-readable.  However, after the
> person logs in, they won't have AFS tokens, and you can't run the AFS PAM
> module for those logins since it can't do anything meaningful without a
> password.  (In general, you don't want to be using the pam_afs from the
> OpenAFS source tree at all unless you're running a Kerberos infrastructure
> based on AFS kaserver, which you don't want to be doing, so I'll just go
> back to "you don't want to be using that module at all.")
> If you want people to be able to log in with ssh public key authentication
> and also get an AFS token, well, the answer is that you can't do that.
> There's no way currently to go from ssh public key authentication to an
> AFS token.