[OpenAFS] AFS/UNIX attributes, home directories in AFS

Russ Allbery rra@stanford.edu
Tue, 16 Sep 2003 18:22:54 -0700

John Gruenenfelder <johng@bach.as.arizona.edu> writes:
> On Tue, Sep 16, 2003 at 03:03:30PM -0700, Russ Allbery wrote:

>> (SSH with public key authentication works poorly with AFS in the best
>> of circumstances, since when you authenticate with a public key there's
>> no way to get an AFS token automatically, so that application in
>> particular may not be the best example.)

> I have a question about exactly this.  How can I get around this?

You either always require that the user do password authentication with
SSH, you use the support for AFS token passing (which we had to modify
slightly to get it to really work and which currently requires protocol
version one and therefore isn't a very good option), or you use Kerberos
authentication with ticket forwarding and then set up your shell
initialization files to obtain AFS tokens from Kerberos tickets.  In
practice, unless you're happy with SSH protocol version one, this last
alternative will require making AFS work with Kerberos v5.

But public key authentication by itself just isn't going to work because
you can't leverage the user's public key into an AFS token.

> As you point out, though, I have noticed that none of the PAM scripts
> are run when I log in with this method.

PAM is (almost entirely, at least in practice) for password authentication
and doesn't work well with other authentication mechanisms.  But more
fundamentally than that, PAM uses either your password or an existing
Kerberos credential to build an AFS token, and with public key
authentication, you have neither.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>