[OpenAFS] Questions about AFS usage

Ray Link rlink+@pitt.edu
Wed, 26 Feb 2003 13:56:59 -0500 (EST) 

On Wed, 26 Feb 2003, Daniel [ISO-8859-1] Sw=E4rd wrote:

> Doesn't that require that I actually have a token before trying to
> authenticate with ssh-keys?

Yes and no.

There is a way to set up your .ssh directory so that you only need a
token on the client side.  This configuration will enable the remote
sshd to read your public keys without a token, while keeping your
private keys safe.  The layout (and permissions for the PTS group
system:anyuser) looks something like this:


 ${HOME}   ( system:anyuser l )
     |
     +--- .ssh/   ( system:anyuser rl )
            |
            +--- private/   ( system:anyuser none )
            |         |
            |         +--- identity
            |         +--- id_rsa
            |         +--- id_dsa
            |
            +--- authorized_keys
            +--- indentiy.pub
            +--- id_rsa.pub
            +--- id_dsa.pub
            +--- identity --symlink--> ./private/identity
            +--- id_rsa   --symlink--> ./private/id_rsa
            +--- id_dsa   --symlink--> ./private/id_dsa
            +--- known_hosts, known_hosts2, etc...

The remote sshd only needs to read your public keys stored in the
authorized_keys file, which it can read without a token.  As long as
you have a token on the ssh-client side, you can read your private keys
(symlinked into the place ssh expects to find them) for the client half
of the key-based auth.

A more detailed description of how and why this works can be found at:
  https://lists.openafs.org/pipermail/openafs-info/2002-May/004356.html

The glaring drawback to this cheap hack is that your users have to set
this up for themselves.  An alternative is to patch OpenSSH to pass
AFS tokens before attempting key authentication.  Patches can be
found at:
  http://www.pitt.edu/~rlink/patches/
and a description of the patches is archived at:
  https://lists.openafs.org/pipermail/openafs-info/2002-June/004768.html
  (Note: the attached patch is broken, see the previous URL for a fixed one=
=2E)

This seems to come up once every couple of months, so I think I might
actually Wiki the info this time.

=3D=3D=3D=3D Ray Link =3D=3D=3D University of Pittsburgh CSSD =3D=3D=3D rli=
nk@pitt.edu =3D=3D=3D=3D

For some reason I was confusing "SubGenius" with "GNU" there.
        - The Cube, Forum 3000