[OpenAFS] arg, ssh and afs was the subject
Charles Clancy
mgrtcc@cs.rose-hulman.edu
Tue, 17 Jul 2001 09:32:27 -0500
>> I would seriously consider grabbing one of the PAM modules discussed
>> previously on this list. It is useful with more than just openssh
and
>> it prevents you from having AFS dependencies in Openssh.
>
> Suppose I have a Kerberos 5 environment. Could I use OpenSSH with RSA
> authentication (no password), configure OpenSSH to forward my Kerberos
> tickets, and then use one of the PAM modules to obtain AFS tokens?
As far as I know, OpenSSH will only forward K4 TGTs, not K5 ones:
/usr/src/openssh-2.9p1$ ./configure --help | egrep -i "kerb|afs"
--with-kerberos4=PATH Enable Kerberos 4 support
--with-afs=PATH Enable AFS support
We have 2 cells. Our first cell is running K5 and uses pam-krb5 and
pam-aklog. As far as I know, TGT passing is not possible. Our second
cell is not kerberized. We use pam-afs.krb, OpenSSH K4 TGT passing, and
pam-afslog. Someone right now is working on AFS token passing in the
kerberized cell. In theory, you don't need to forward your TGT in order
to forward your token. I'm not sure how successful they will be,
however. The --with-afs flag assumes you are using K4, and
--with-kerberos4. I'm not sure how it internally passes the AFS token
-- whether it passes the TGT and gets a new token, or not.
_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus - RHIT Computer Science