[OpenAFS-devel] Re: [OpenAFS] AFS / PAM / SSH / (w/o Kerberos)

Derek Atkins warlord@MIT.EDU
Sat, 11 Dec 2004 16:21:33 -0500


TOBx <TOBx@gmx.de> writes:

> I don't want to do any token passing.

Oh, that was unclear...

> The situation is as follows:
>
> There are a couple of AFS-Server (and Client) machines with sshd
> running.
> Additionally there are some unix-boxes w/o AFS but the ssh client
> program.
>
> Now what I want is that s.o. who is logged on to one of those
> "non-AFS-unix-boxes" is able to ssh to one of the AFS-Servers and is
> authenticated via the pam-ssh module running on the AFS machines.
> (This step works fine already)
> Additionally I want that an AFS-token is created on the AFS-Server the
> person logged on. So that he dont has to call 'klog' everytime after
> the login. (The pam_afs-module has a "set_token" parameter which does
> not work in my situation!?)

What version of SSH are you using?  Just because you think you've
turned off Priviledge Separation does not mean that it can still do
what you want.  This works fine in some versions of openssh and not in
others.

Make sure you have the ssh pam configuration set up to using pam_afs.
Also, this will NOT work with RSA Authentication.

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available