[OpenAFS] Re: afs/openssh

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Sun, 6 Jan 2002 12:13:06 +0000


"Johnny B ." <syborg@stny.rr.com> wrote:
> I'd like to be able to connect to my AFS cell externally using ssh
> protocol 2. At the moment I believe AFS support is limited to ssh1 and
> thats what I'm trying to get working. My original question was if the
> exact process for installing sshd w/ afs support was documented
> anywhere.

If you want sshd to check your password by authenticating against
a Transarc kaserver (or against an MIT or KTH Kerberos server), then
this will work with ssh 2 using an appropriate PAM module and
configuration file, assuming you compile sshd with PAM support.

What is available only for ssh protocol version 1 is the ability to
pass AFS tokens to a remote sshd, and to make use of these as part of
logging in on multiple AFS clients without retyping your password,
and still getting access by AFS ACLs.  This has never been enabled
with ssh version 2, mainly because it's very hard to see how to
combine the protocols in anything like a secure manner.  (If you
pass your AFS tokens to a dodgy server, you may be giving away
more than you intend.)  This was implemented in the original
ssh-1 by means of patches from Dug Song, which he later withdrew
because of support and security concerns.  The equivalent patch
is there in openssh version 2.9 (and earlier), though I don't
believe it was tested properly: I had to make a number of patches
to get it to work, and I think it may have disappeared in openssh
version 3.

So if you just want sshd to check your password against a
kaserver (or a Kerberos server), use PAM.  For the more complex
option, please contact me by email if you want my patches.

     -- Owen
     LeBlanc@mcc.ac.uk