[OpenAFS] afs / openssh
Charles Clancy
security@xauth.net
Sat, 5 Jan 2002 19:50:00 -0600 (CST)
> > I'm not sure what you want to do -- do you want to be able to pass AFS
> > tokens through SSH? Or do you want to be able to use AFS's Kerberos
> > Authentication as a single-signon? For the former, I believe that
>
> I'd like to be able to connect to my AFS cell externally using ssh
> protocol 2. At the moment I believe AFS support is limited to ssh1 and
> thats what I'm trying to get working. My original question was if the
> exact process for installing sshd w/ afs support was documented
> anywhere. I got it working a long time ago (actually Brian did :-) and
> I can't remember hoe he/we did it. I'll figure it out.
I suspect that for what you want to do, you should:
tar xfvz openssh-3.x.tar.gz
cd openssh-3.x
./configure --with-pam
make
make install
Then, you need to update your PAM configuration.
Linux: add the following to /etc/pam.d/ssh:
auth required /lib/security/pam_afs.so.1
session required /lib/security/pam_afs.so.1
I'm not sure where the RPM installs the modules -- you may need to adjust
the path.
Solaris: add the following to /etc/pam.conf:
ssh auth required /usr/lib/security/pam_afs.so.1
ssh session required /usr/lib/security/pam_afs.so.1
make sure you copy the modules from the dist directory to
/usr/lib/security.
You may want to read up on PAM and tweak the configuration. The above
lines only allow AFS users to log in. Presumably that would prevent root
logins, and all logins if AFS were down.
Now, if you want to get fancy, you can do token passing with kerberos
authentication. This allows you to use your existing AFS token to
authenticate, instead of typing your AFS password. When you see "AFS
support" in OpenSSH, that's what they're talking about. I've never gotten
token passing to work, but kerberos authentication, used in conjunction
with pam_afs_krb.so and afslog works quite well.
--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy