[OpenAFS] ssh and afs
Pavel Semerad
semerad@ss1000.ms.mff.cuni.cz
Mon, 6 May 2002 11:25:47 +0200
On Sat, May 04, 2002 at 02:34:09PM -0400, Ray Link wrote:
> There is a way to do this with the newer versions of OpenSSH, but it
> involves dorking with the structure of your ~/.ssh directory.
>
> Background info first:
>
> In older (pre-2.9, iirc) versions of OpenSSH, it would pass your AFS
> token across during the authentication phase, so the remote sshd could
> read your ~/.ssh/authorized_keys file (since the whole directory is
> hopefully ACL'd to keep people out, as your private keys live there,
> too.) Now that the remote sshd can read files in your ~/.ssh dir, RSA
> key authentication can happen normally, and all is good.
>
> Currently, however, OpenSSH doesn't accept passed AFS tokens until
> after authentication has already taken place. Since the remote sshd
> doesn't have a token to read your aurthorized_key file, it falls back
> to password auth. Once you're authed and it hits the session phase,
> then and only then does the AFS token get passed. The general
> consensus is that this was changed because passing an AFS token before
> actual authentication happened was seen as a security risk.
I neded to pass tokens with kaserver too (no krb5 yet), so I made a patch,
which passes token before authentication (as in openssh <= 2.9).
Pavel Semerad