[OpenAFS] afs/openssh

Jason Edgecombe jedgecombe@carolina.rr.com
Mon, 07 Jan 2002 09:08:20 -0500 

I currently ssh into sun's and linux boxen all the time and get my AFS 
tokens properly. Has anyone gotten openssh to work with AFS support 
compiled in (I mean non-PAM). I'd love to be able to log into my SGI's 
via openssh and get my tokens automatically.



Jason Edgecombe

Dr A V Le Blanc wrote:

> "Johnny B ." <syborg@stny.rr.com> wrote:
> 
>>I'd like to be able to connect to my AFS cell externally using ssh
>>protocol 2. At the moment I believe AFS support is limited to ssh1 and
>>thats what I'm trying to get working. My original question was if the
>>exact process for installing sshd w/ afs support was documented
>>anywhere.
>>
> 
> If you want sshd to check your password by authenticating against
> a Transarc kaserver (or against an MIT or KTH Kerberos server), then
> this will work with ssh 2 using an appropriate PAM module and
> configuration file, assuming you compile sshd with PAM support.
> 
> What is available only for ssh protocol version 1 is the ability to
> pass AFS tokens to a remote sshd, and to make use of these as part of
> logging in on multiple AFS clients without retyping your password,
> and still getting access by AFS ACLs.  This has never been enabled
> with ssh version 2, mainly because it's very hard to see how to
> combine the protocols in anything like a secure manner.  (If you
> pass your AFS tokens to a dodgy server, you may be giving away
> more than you intend.)  This was implemented in the original
> ssh-1 by means of patches from Dug Song, which he later withdrew
> because of support and security concerns.  The equivalent patch
> is there in openssh version 2.9 (and earlier), though I don't
> believe it was tested properly: I had to make a number of patches
> to get it to work, and I think it may have disappeared in openssh
> version 3.
> 
> So if you just want sshd to check your password against a
> kaserver (or a Kerberos server), use PAM.  For the more complex
> option, please contact me by email if you want my patches.
> 
>      -- Owen
>      LeBlanc@mcc.ac.uk
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
>