[OpenAFS] Re: openafs and Kerberos
Russ Allbery
rra@stanford.edu
Wed, 30 Nov 2005 12:31:59 -0800
A V Le Blanc <LeBlanc@mcc.ac.uk> writes:
> I think the (very old) patched ssh we used which forwarded AFS tokens
> did this, but I may be mistaken.
Oh, yeah, that's possible. I haven't used that for so long that I don't
remember.
> I find that if I login on one machine with openssh-4.2 and get kerberos
> tickets for a user, I can login to another machine using '-o
> GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes', and this
> _does_ get AFS authentication and passes the kerberos credentials
> across. The user in question has his home directory in /afs, and it is
> not world readable, nor is anything under it, so the GSSAPI
> authentication does not need access to authorized_keys files.
Right. GSSAPI authentication with openssh-4.2 in Debian has been patched
to do key exchange and therefore works entirely with Kerberos credentials
and doesn't require any of the standard ssh host key or
.ssh/authorized_keys stuff.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>