[OpenAFS] openafs and Kerberos

Russ Allbery rra@stanford.edu
Wed, 23 Nov 2005 10:22:22 -0800

A V Le Blanc <LeBlanc@mcc.ac.uk> writes:

> When we upgraded from using the kaserver to using Heimdal, we
> could use the Kerberos support patched into openssh 3.8.1
> in the Debian ssh-krb5 package.  This package is rather buggy
> and not actively maintained, but it seemed an adequate interim
> measure on many of our machines.

ssh-krb5 is not being actively updated right now because we're planning on
retiring the package in favor of just having people use the new 4.2
packages with GSSAPI support.  They should be as capable, and if not, I'll
work to make sure they are.

> (1)  It won't allow a user whose home directory is in AFS to
>      authenticate using ssh keys, even if he has Kerberos
>      tickets to transfer.

I don't think this is a difference between it and ssh-krb5 unless I'm not
understanding you.  The problem that you're encountering is fundamental:
you have to successfully authenticate before you can forward Kerberos
tickets, and you have to forward Kerberos tickets before you can obtain a
token.  So you have to be able to authenticate without a token, which
means that you need to make your ssh authorized_keys file readable by an
unauthenticated process.

So far as I know, it's alwayas been this way.

> (2)  It will allow me to pass Kerberos tickets to a remote
>      user, except when the remote user is root.

This should work if, as mentioned by another poster, you list the
appropriate identities in ~root/.k5login.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>