[OpenAFS] Many questions

Russ Allbery rra@stanford.edu
13 Dec 2000 17:30:37 -0800

I'm going to bail on most of these questions... some of them are ones that
the people here probably can't ask and that you're going to need to ask
directly of Transarc.

Patrick J LoPresti <patl@curl.com> writes:

>   The RPMs do not seem to include modified versions of the rsh suite
>   (or any similar tools).  The source for rsh.c (OpenAFS 1.0.1
>   distribution) defines a local "pass_tokens" variable but never uses
>   it for anything; in other words, the source code itself seems to
>   make no sense.  I understand that I can use PAM to allow various
>   services to authenticate against the AFS Authentication Server, but
>   what I want is to be able to pass authentication tokens *without*
>   typing my password again...  Is that possible, even in principle?

I think it's generally considered to be the Right Thing to just use
Kerberos versions of rsh, rlogin, etc. if you want to pass authentication
rather than trying to use the token-passing versions.  The Kerberos
versions can, with Kerberos v5, pass tickets, which is even better.  This
however requires a Kerberos v5 infrastructure with the migration stuff so
that you can generate Kerberos v4 tickets for AFS's uses.

If you have just a Kerberos v4 infrastructure, what we did here at
Stanford was write a fairly ugly hack to forward Kerberos v4 tickets that
we've used for some years now.  It works, but we'll be happy to get rid of
it in favor of Kerberos v5 ticket passing, as it has various annoyances
and security concerns.

I'm hoping that in the long run, all of the authentication passing
mechanisms will disappear in favor of standardizing on Kerberos v5 ticket
passing (either via the native clients or via ssh).

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>