[OpenAFS] ssh and GSSAPI doesn't work

Simon Wilkinson sxw@inf.ed.ac.uk
Thu, 25 Jan 2007 23:23:25 +0000


On 18 Jan 2007, at 21:29, Massimiliano Masi wrote:

> Hi all,
>
> I would like to use GSSAPIAuthentication with ssh-krb5 package
> on debian.

Firstly, you need to have credential delegation enabled. You need  
GSSAPIDelegateCredentials yes in the client configuration file, or  
the client command line.

Secondly, you'll need a mechanism to get AFS tokens following a  
successfully forwarded Kerberos connection. Locally, we use PAM with  
Doug Engert's pam_afs2 module.

There are other details that may cause you issues, due to the  
interesting way that PAM and OpenSSH interface with each other. Using  
'PasswordAuthentication' rather than  
'ChallengeResponseAuthentication' can help to reduce these in some  
situations.

Simon.