[OpenAFS] Home directory in AFS

eichin-oa@boxedpenguin.com eichin-oa@boxedpenguin.com
19 Apr 2002 12:10:00 -0400


> The problem is that SSHd seems to need my password, to be able to ask the
> KDC for the ticket (I think). 

If you're using openssh with the patches for GSSAPI support, you need:
	1) to be using protocol 2 (ssh -2)
	2) GSSAPIDelegateCredentials yes (either as a -o, or in .ssh/config)
	3) to have gotten your initial tickets as forwardable in the
	   first place (kinit -f)

Once you can forward *tickets* (which klist on the far side should
confirm), then you can use pam_openafs_session to generate tokens from
them on the far side.  You also need GSSAPIAuthentication yes in the
sshd_config on the far side as well.

> Granted, i mostly use pam_krb5, and THAT can't
> get a ticket if I'm using the RSA key. Thing  is, I can't always rely on the
> client SSH to have the GSSAPI stuff compiled in. Mostly this is because of

They're not going to have tokens to forward either (or have you also
deployed afs for windows users?), so they are going to need to give a
password somewhere...