[OpenAFS] ssh+afs logins fail on IRIX 6.5.15

Charles Clancy security@xauth.net
Thu, 30 May 2002 09:43:16 -0500 (CDT)


>> You can configure openssh to pass your afs token to the remote machine.
>> That should solve your problem.  However, if your afs users can log in
>> via console and everything afs works, I suspect that what you really
>> want to do is make openssh just do the afs authentication instead of
>> krb-v4.
>
> So, just how does one do this? AFSTokenPassing and KerberosTgtPassing
> are both set to "yes" in /etc/ssh/sshd_config. Is there something
> else that needs to be done?

These only help if you already have an AFS token or Kerberos 4 TGT on the
system you are SSH-ing from, and your SSH client is configured to pass it.
Otherwise, there's nothing to pass.  As far as I know, OpenSSH can't get
an AFS token automatically, unless you somehow have it run afslog, as I
mentioned earlier.

Below are the only options I'm aware of.

These are responsible for allowing you to use a previously obtained TGT to
authenticate yourself through your SSH client to your SSH server:

	KerberosAuthentication yes
	KerberosOrLocalPasswd yes
	KerberosTicketCleanup yes

If you have a TGT already, and it is successfully validated, then the
following will pass your existing AFS token to the new host:

	AFSTokenPassing yes

This option is similar to the above, but it passes your Krb4 TGT to the
new host:

	KerberosTgtPassing yes

In the past, I've used the pam_afs.krb.so module to obtain both a TGT and
AFS token when logging in normally.  Then, I can use SSH with Kerberos
Authentication, AFS Token Passing, and Kerberos TGT Passing to ssh around
between machines, doing password-less authentication via my Krb4 TGT, and
then pass both my AFS token and my Krb4 TGT along.

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]