[OpenAFS] arg, ssh and afs was the subject

[Sam Hartman]

>>>>> "Patrick" == Patrick J LoPresti <patl@curl.com> writes:

    Patrick> Sam Hartman <hartmans@mekinok.com> writes:
    >> I would seriously consider grabbing one of the PAM modules
    >> discussed previously on this list.  It is useful with more than
    >> just openssh and it prevents you from having AFS dependencies
    >> in Openssh.

    Patrick> Suppose I have a Kerberos 5 environment.  Could I use
    Patrick> OpenSSH with RSA authentication (no password), configure
    Patrick> OpenSSH to forward my Kerberos tickets, and then use one
    Patrick> of the PAM modules to obtain AFS tokens?

Yes, you could do this using the patches found at
http://www.sxw.org.uk/computing/patches/openssh.html.  With the same
patches you could also just use Openssh in a native Kerberos mode,
with the provision that the protocol may change requiring an upgrade
at some point in the future.

    Patrick> I suspect the answer is "yes", but I am a curious whether
    Patrick> anybody is actually doing this and exactly what their SSH
    Patrick> and PAM configurations are.

Mekinok is doing this internally.  You can see our SSH pam config at
/afs/mekinok.com/service/ssh.pam and our ssh config is in the bp-ssh
package found at
/afs/mekinok.com/product/boxedpenguin-prototype/www/prototype/release/bp-openssh.
If you don't have a Debian system handy to unpack the package, you can
untar the .orig.tar.gz and apply the .diff.gz.