[OpenAFS] pam and openafs 1.2.7 for RH 7.2

[David Botsch]

I wanted to reply to some of the comments that had been made about 
openssh and afs recently.

OpenSSH can authenticate in several ways. Password authentication, 
rhosts authentication, kerberos authentication, and others. As of 
openssh-3.4p1, to my knowledge, you cannot actually authenticate with 
an afs token. You can only pass the token after authentication. With 
Kerberos, however, you may be able to authenticate with the tgt you 
already have. So, AFTER authentication (not before as used to be the 
case), openssh can pass kerberos TGTs and afs tokens. It will 
appropriately set a pagsh. You must compile openssh with the --with-afs 
--with-kerberos4 --with-kerberos5 (both client and server). I do not 
believe that token passing actually involves PAM (you would use PAM if 
you were doing password auth, but the process of doing a password auth 
with PAM would get you an afs token).

fyi, openssh has a bug in the part of the code which sets the location 
of the ticket cache. It was depending on the error behavior of the 
mkstemp glibc function (and this error behavior has changed). This 
should only affect things like password auth and not ticket/token 
passing.

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************