[OpenAFS] Home directory in AFS
Derek Atkins
warlord@MIT.EDU
19 Apr 2002 10:44:26 -0400
Turbo Fredriksson <turbo@bayour.com> writes:
> I'm already using that patch on both the client and the server machine(s).
> The problem is that SSHd seems to need my password, to be able to ask the
> KDC for the ticket (I think). Granted, i mostly use pam_krb5, and THAT can't
> get a ticket if I'm using the RSA key. Thing is, I can't always rely on the
> client SSH to have the GSSAPI stuff compiled in. Mostly this is because of
> any Win clients I'm forced to use on work etc (and that my users are using,
> not all my users have seen the light :).
You cannot obtain a TGT from an RSA/DSA key using MIT Kerberos. One
day we might get PKINIT implemented, but then you would need a
certificate (or you might be able to register the SSH public with the
KDC). Currently, in order to obtain a TGT you either need your
password or you need to forward an existing TGT.
To answer your other question: yes, AFS users _MUST_ exist in the
PTServer database in order to obtain AFS tokens.
One thing I am confused about is: how does the PAM module have the
ability to create a new volume in AFS? Similarly, if it can, why
not just set the AFS acl?
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available