[OpenAFS] Questions about AFS usage

[Neulinger, Nathan]

Or even better, just forget all the trouble with afs token passing and =
switch to kerberos5 w/ gssapi.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Ray Link [mailto:rlink+@pitt.edu]=20
> Sent: Wednesday, February 26, 2003 12:57 PM
> To: openafs-info@openafs.org
> Subject: Re: [OpenAFS] Questions about AFS usage
>=20
>=20
> On Wed, 26 Feb 2003, Daniel [ISO-8859-1] Sw=E4rd wrote:
>=20
> > Doesn't that require that I actually have a token before trying to
> > authenticate with ssh-keys?
>=20
> Yes and no.
>=20
> There is a way to set up your .ssh directory so that you only need a
> token on the client side.  This configuration will enable the remote
> sshd to read your public keys without a token, while keeping your
> private keys safe.  The layout (and permissions for the PTS group
> system:anyuser) looks something like this:
>=20
>=20
>  ${HOME}   ( system:anyuser l )
>      |
>      +--- .ssh/   ( system:anyuser rl )
>             |
>             +--- private/   ( system:anyuser none )
>             |         |
>             |         +--- identity
>             |         +--- id_rsa
>             |         +--- id_dsa
>             |
>             +--- authorized_keys
>             +--- indentiy.pub
>             +--- id_rsa.pub
>             +--- id_dsa.pub
>             +--- identity --symlink--> ./private/identity
>             +--- id_rsa   --symlink--> ./private/id_rsa
>             +--- id_dsa   --symlink--> ./private/id_dsa
>             +--- known_hosts, known_hosts2, etc...
>=20
> The remote sshd only needs to read your public keys stored in the
> authorized_keys file, which it can read without a token.  As long as
> you have a token on the ssh-client side, you can read your=20
> private keys
> (symlinked into the place ssh expects to find them) for the=20
> client half
> of the key-based auth.
>=20
> A more detailed description of how and why this works can be found at:
>  =20
> https://lists.openafs.org/pipermail/openafs-> =
info/2002-May/004356.html
>=20
> The glaring drawback to this cheap hack is that your users have to set
> this up for themselves.  An alternative is to patch OpenSSH to pass
> AFS tokens before attempting key authentication.  Patches can be
> found at:
>   http://www.pitt.edu/~rlink/patches/
> and a description of the patches is archived at:
>  =20
> https://lists.openafs.org/pipermail/openafs-> =
info/2002-June/004768.html
>   (Note: the attached patch is broken, see the previous URL=20
> for a fixed one.)
>=20
> This seems to come up once every couple of months, so I think I might
> actually Wiki the info this time.
>=20
> =3D=3D=3D=3D Ray Link =3D=3D=3D University of Pittsburgh CSSD =
=3D=3D=3D=20
> rlink@pitt.edu =3D=3D=3D=3D
>=20
> For some reason I was confusing "SubGenius" with "GNU" there.
>         - The Cube, Forum 3000
>=20
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20