[OpenAFS] openafs and Kerberos

R.Laatsch a0049@rrz.uni-koeln.de
Wed, 23 Nov 2005 16:48:50 +0100 (MET)

The solution to 1) :
Have the 'authorized_keys' file in another subdir
(say $HOME/public/ ) with acl system:anyuser rl and patch
auth.c + auth-rsa.c to additionally look there (if not root).
The afstokenpassing is still needed.
Best regards / Mit freundlichem Gruss
Rainer Laatsch
________________________________	______________________
E-mail: Laatsch@rrz.Uni-Koeln.DE	Universitaet zu Koeln
					Reg. Rechenzentrum (ZAIK/RRZK)
Fax   : (0221) 478-5590			Robert-Koch-Str. 10
Tel   : (0221) 478-5582			D-50931 Koeln

On Wed, 23 Nov 2005, Dr A V Le Blanc wrote:

> Forgive me asking this question here, though it is related to
> OpenAFS only indirectly.
> For a long time we were using patched openssh to transfer AFS
> authentication between machines.  This involved using a local
> patch, which we maintained up to 3.7.1, and transferred AFS
> tokens using ssh protocol level 1 only.
> When we upgraded from using the kaserver to using Heimdal, we
> could use the Kerberos support patched into openssh 3.8.1
> in the Debian ssh-krb5 package.  This package is rather buggy
> and not actively maintained, but it seemed an adequate interim
> measure on many of our machines.
> The GSSAPI support in the recently released openssh 4.2 appears
> mostly to do what we need: with proper configuration, an ordinary
> user can pass Kerberos tickets to a remote machine, where a PAM
> module gets tokens using aklog.  So far as I can see, these are
> its limitations:
> (1)  It won't allow a user whose home directory is in AFS to
>      authenticate using ssh keys, even if he has Kerberos
>      tickets to transfer.
> (2)  It will allow me to pass Kerberos tickets to a remote
>      user, except when the remote user is root.
> I ask this because the documentation is somewhat inadequate,
> and I'm certain I don't understand all the remarks about the
> subject in various announcements.  I have verified (1) and (2)
> by experiments, but only on selected machines.
>      -- Owen
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info