[OpenAFS] Re: openafs and Kerberos

Russ Allbery rra@stanford.edu
Wed, 30 Nov 2005 12:31:59 -0800

A V Le Blanc <LeBlanc@mcc.ac.uk> writes:

> I think the (very old) patched ssh we used which forwarded AFS tokens
> did this, but I may be mistaken.

Oh, yeah, that's possible.  I haven't used that for so long that I don't

> I find that if I login on one machine with openssh-4.2 and get kerberos
> tickets for a user, I can login to another machine using '-o
> GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes', and this
> _does_ get AFS authentication and passes the kerberos credentials
> across.  The user in question has his home directory in /afs, and it is
> not world readable, nor is anything under it, so the GSSAPI
> authentication does not need access to authorized_keys files.

Right.  GSSAPI authentication with openssh-4.2 in Debian has been patched
to do key exchange and therefore works entirely with Kerberos credentials
and doesn't require any of the standard ssh host key or
.ssh/authorized_keys stuff.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>