[OpenAFS] afs/openssh
Derek Atkins
warlord@MIT.EDU
07 Jan 2002 09:39:54 -0500
I just use SSH with krb-5 and ticket forwarding. SSH will
authenticate by kerberos and forward my TGT, and then it
will run 'aklog' to get me AFS tokens. Works great for me.
-derek
Jason Edgecombe <jedgecombe@carolina.rr.com> writes:
> I currently ssh into sun's and linux boxen all the time and get my AFS
> tokens properly. Has anyone gotten openssh to work with AFS support
> compiled in (I mean non-PAM). I'd love to be able to log into my SGI's
> via openssh and get my tokens automatically.
>
>
>
> Jason Edgecombe
>
> Dr A V Le Blanc wrote:
>
> > "Johnny B ." <syborg@stny.rr.com> wrote:
> >
> >>I'd like to be able to connect to my AFS cell externally using ssh
> >>protocol 2. At the moment I believe AFS support is limited to ssh1 and
> >>thats what I'm trying to get working. My original question was if the
> >>exact process for installing sshd w/ afs support was documented
> >>anywhere.
> >>
> >
> > If you want sshd to check your password by authenticating against
> > a Transarc kaserver (or against an MIT or KTH Kerberos server), then
> > this will work with ssh 2 using an appropriate PAM module and
> > configuration file, assuming you compile sshd with PAM support.
> >
> > What is available only for ssh protocol version 1 is the ability to
> > pass AFS tokens to a remote sshd, and to make use of these as part of
> > logging in on multiple AFS clients without retyping your password,
> > and still getting access by AFS ACLs. This has never been enabled
> > with ssh version 2, mainly because it's very hard to see how to
> > combine the protocols in anything like a secure manner. (If you
> > pass your AFS tokens to a dodgy server, you may be giving away
> > more than you intend.) This was implemented in the original
> > ssh-1 by means of patches from Dug Song, which he later withdrew
> > because of support and security concerns. The equivalent patch
> > is there in openssh version 2.9 (and earlier), though I don't
> > believe it was tested properly: I had to make a number of patches
> > to get it to work, and I think it may have disappeared in openssh
> > version 3.
> >
> > So if you just want sshd to check your password against a
> > kaserver (or a Kerberos server), use PAM. For the more complex
> > option, please contact me by email if you want my patches.
> >
> > -- Owen
> > LeBlanc@mcc.ac.uk
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> >
>
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available