[OpenAFS] openafs and Kerberos

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Wed, 23 Nov 2005 15:09:33 +0000

Forgive me asking this question here, though it is related to
OpenAFS only indirectly.

For a long time we were using patched openssh to transfer AFS
authentication between machines.  This involved using a local
patch, which we maintained up to 3.7.1, and transferred AFS
tokens using ssh protocol level 1 only.

When we upgraded from using the kaserver to using Heimdal, we
could use the Kerberos support patched into openssh 3.8.1
in the Debian ssh-krb5 package.  This package is rather buggy
and not actively maintained, but it seemed an adequate interim
measure on many of our machines.

The GSSAPI support in the recently released openssh 4.2 appears
mostly to do what we need: with proper configuration, an ordinary
user can pass Kerberos tickets to a remote machine, where a PAM
module gets tokens using aklog.  So far as I can see, these are
its limitations:

(1)  It won't allow a user whose home directory is in AFS to
     authenticate using ssh keys, even if he has Kerberos
     tickets to transfer.
(2)  It will allow me to pass Kerberos tickets to a remote
     user, except when the remote user is root.

I ask this because the documentation is somewhat inadequate,
and I'm certain I don't understand all the remarks about the
subject in various announcements.  I have verified (1) and (2)
by experiments, but only on selected machines.

     -- Owen