[OpenAFS] afs/openssh

Derek Atkins warlord@MIT.EDU
07 Jan 2002 09:39:54 -0500


I just use SSH with krb-5 and ticket forwarding.  SSH will
authenticate by kerberos and forward my TGT, and then it
will run 'aklog' to get me AFS tokens.  Works great for me.

-derek

Jason Edgecombe <jedgecombe@carolina.rr.com> writes:

> I currently ssh into sun's and linux boxen all the time and get my AFS 
> tokens properly. Has anyone gotten openssh to work with AFS support 
> compiled in (I mean non-PAM). I'd love to be able to log into my SGI's 
> via openssh and get my tokens automatically.
> 
> 
> 
> Jason Edgecombe
> 
> Dr A V Le Blanc wrote:
> 
> > "Johnny B ." <syborg@stny.rr.com> wrote:
> > 
> >>I'd like to be able to connect to my AFS cell externally using ssh
> >>protocol 2. At the moment I believe AFS support is limited to ssh1 and
> >>thats what I'm trying to get working. My original question was if the
> >>exact process for installing sshd w/ afs support was documented
> >>anywhere.
> >>
> > 
> > If you want sshd to check your password by authenticating against
> > a Transarc kaserver (or against an MIT or KTH Kerberos server), then
> > this will work with ssh 2 using an appropriate PAM module and
> > configuration file, assuming you compile sshd with PAM support.
> > 
> > What is available only for ssh protocol version 1 is the ability to
> > pass AFS tokens to a remote sshd, and to make use of these as part of
> > logging in on multiple AFS clients without retyping your password,
> > and still getting access by AFS ACLs.  This has never been enabled
> > with ssh version 2, mainly because it's very hard to see how to
> > combine the protocols in anything like a secure manner.  (If you
> > pass your AFS tokens to a dodgy server, you may be giving away
> > more than you intend.)  This was implemented in the original
> > ssh-1 by means of patches from Dug Song, which he later withdrew
> > because of support and security concerns.  The equivalent patch
> > is there in openssh version 2.9 (and earlier), though I don't
> > believe it was tested properly: I had to make a number of patches
> > to get it to work, and I think it may have disappeared in openssh
> > version 3.
> > 
> > So if you just want sshd to check your password against a
> > kaserver (or a Kerberos server), use PAM.  For the more complex
> > option, please contact me by email if you want my patches.
> > 
> >      -- Owen
> >      LeBlanc@mcc.ac.uk
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> > 
> > 
> 
> 
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available