[OpenAFS] Questions about AFS usage
Ray Link
rlink+@pitt.edu
Thu, 27 Feb 2003 13:43:36 -0500 (EST)
On Wed, 26 Feb 2003, Jim Rees wrote:
> Of course you can set up your ssh directory so that your public keys are
> world readable, but I thought the question was how to get afs tokens on the
> server side. Did I misunderstand?
OpenSSH still has the ability to pass AFS Tokens and Krb TGTs, but post-2.9
versions don't do it until the Session phase, *after* the Authentication
phase successfully completes. The method I described simply solves the
chicken-and-egg problem of the server being able to read your public
keys before getting the AFS Token passed to it.
The simple answer to "How do I get AFS tokens on the server side?" is to
enable AFS Token passing in OpenSSH, and modify your .ssh/ directory
layout to let the remote sshd be able to read your public keys.
> The proposed solution of passing afs tokens before ssh authentication
> is obviously a bad idea.
Exactly. This is why the OpenSSH developers moved the Token/TGT
passing to occur after authentication, instead of before auth, as it
used to be.
Granted, I wrote a patch to restore the old-style functionality of
passing an AFS Token before Authentication, but I understand the
security implications of this, and would only use it in a situation
where it was absolutely warranted.
==== Ray Link === University of Pittsburgh CSSD === rlink@pitt.edu ====
For some reason I was confusing "SubGenius" with "GNU" there.
- The Cube, Forum 3000