[OpenAFS] password-less login via OpenSSH with OpenAFS home
dir...
Charles Clancy
security@xauth.net
Sun, 14 Oct 2001 13:28:50 -0500 (CDT)
On 12 Oct 2001, Russ Allbery wrote:
> Paolo Saggese <NOSPAM@libero.it> writes:
>
> > So here is the question: how to allow for SSH password-less login
> > (possibly getting the token, too, otherwise it would be useless...) with
> > user's home dirs on AFS?
>
> You probably want a compile of SSH that supports Kerberos authentication
> and ticket and token forwarding. I believe that the current version of
> OpenSSH compiled against the kth Kerberos libraries supports that with
> protocol version 1. For protocol version 2, I think you need another
> patch to do GSSAPI Kerberos v5 authentication.
I was able to get K4 TGT but not AFS token passing to work when I tried
this past summer. This means using the '.krb' versions of some of the AFS
commands:
klog.krb
pagsh.krb
tokens.krb
pam_afs.krb.so.1
These versions keep your K4 TGT around after getting the AFS token.
OpenSSH can then do kerberos TGT passing. Just put 'afslog' (from kth's
krb4 distro) in /etc/csh.cshrc (or somewhere similar) to use the TGT to
get an AFS token and everything works. Of course, getting AFS token
passing to work would be cleaner...
It worked great in conjunction with LAM-MPI on a Sparc Solaris 8-based
Beowulf cluster I set up.
--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy