[OpenAFS] (no subject)

Charles Clancy mgrtcc@cs.rose-hulman.edu
Tue, 17 Jul 2001 09:20:36 -0500

> i just downloaded and installed openafs. so far it works great :-)
just one 
> exception: secure shell. how do i get that bugger to work

Use OpenSSH with PAM.  Compiling with AFS/Kerberos support is usually
not that easy.  In my experience, the AFS, krb4, and Solaris libcrypto's
all fight with one another.

With OpenSSH, do the following:
./configure --with-pam --prefix=/usr/local/openssh (or whatever)
make; make install

Add the following lines to /etc/pam.conf:
sshd    auth sufficient /usr/lib/security/pam_afs.so.1 ignore_root
sshd    auth required   /usr/lib/security/pam_unix.so.1

Make sure you copy pam_afs.so.1 from the lib directory of the OpenAFS
installation into /usr/lib/security.

I've been using this setup with OpenSSH since version 2.1, and it's
worked great.  Before that, I used a PAM-patched version of SSH 1.2.27
on Solaris 7.  I have managed to get AFS Token / Kerberos TGT passing
going with RSA-rhost authentication, so you can SSH around between
machines without using a password, but still keeping your AFS token.
This is extremely useful for clustering packages such as LAM-MPI.
However, in most cases, this isn't necessary, only a convenience.
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus - RHIT Computer Science