[OpenAFS] pam and openafs 1.2.7 for RH 7.2
Charles Clancy
security@xauth.net
Tue, 8 Oct 2002 15:19:28 -0500 (CDT)
> As of openssh-3.4p1, to my knowledge, you cannot actually authenticate
> with an afs token. You can only pass the token after authentication.
> With Kerberos, however, you may be able to authenticate with the tgt you
> already have.
Authentication methods defined in openssh-3.4p1/auth-krb4.c:
int auth_krb4_password(Authctxt *authctxt, const char *password)
int auth_krb4_tgt(Authctxt *authctxt, const char *string)
int auth_afs_token(Authctxt *authctxt, const char *token_string)
Though I've never tried to use the third one. ;)
> So, AFTER authentication (not before as used to be the case), openssh
> can pass kerberos TGTs and afs tokens. It will appropriately set a
> pagsh. You must compile openssh with the --with-afs --with-kerberos4
> --with-kerberos5 (both client and server).
It can do pure TGT stuff without --with-afs. You can do kaserver stuff
without the --with-kerberos5.
> I do not believe that token passing actually involves PAM (you would use
> PAM if you were doing password auth, but the process of doing a password
> auth with PAM would get you an afs token).
Right. Token passing most certainly does not involve PAM. The module
pam_afs.so can only do password-based authentication.
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]