[OpenAFS] openafs and Kerberos
Wed, 23 Nov 2005 16:48:50 +0100 (MET)
The solution to 1) :
Have the 'authorized_keys' file in another subdir
(say $HOME/public/ ) with acl system:anyuser rl and patch
auth.c + auth-rsa.c to additionally look there (if not root).
The afstokenpassing is still needed.
Best regards / Mit freundlichem Gruss
E-mail: Laatsch@rrz.Uni-Koeln.DE Universitaet zu Koeln
Reg. Rechenzentrum (ZAIK/RRZK)
Fax : (0221) 478-5590 Robert-Koch-Str. 10
Tel : (0221) 478-5582 D-50931 Koeln
On Wed, 23 Nov 2005, Dr A V Le Blanc wrote:
> Forgive me asking this question here, though it is related to
> OpenAFS only indirectly.
> For a long time we were using patched openssh to transfer AFS
> authentication between machines. This involved using a local
> patch, which we maintained up to 3.7.1, and transferred AFS
> tokens using ssh protocol level 1 only.
> When we upgraded from using the kaserver to using Heimdal, we
> could use the Kerberos support patched into openssh 3.8.1
> in the Debian ssh-krb5 package. This package is rather buggy
> and not actively maintained, but it seemed an adequate interim
> measure on many of our machines.
> The GSSAPI support in the recently released openssh 4.2 appears
> mostly to do what we need: with proper configuration, an ordinary
> user can pass Kerberos tickets to a remote machine, where a PAM
> module gets tokens using aklog. So far as I can see, these are
> its limitations:
> (1) It won't allow a user whose home directory is in AFS to
> authenticate using ssh keys, even if he has Kerberos
> tickets to transfer.
> (2) It will allow me to pass Kerberos tickets to a remote
> user, except when the remote user is root.
> I ask this because the documentation is somewhat inadequate,
> and I'm certain I don't understand all the remarks about the
> subject in various announcements. I have verified (1) and (2)
> by experiments, but only on selected machines.
> -- Owen
> OpenAFS-info mailing list