[OpenAFS] Passwordless login through ssh with pam/afs.

Russ Allbery rra@stanford.edu
Wed, 14 Mar 2007 08:55:17 -0700

Walter Lamagna <wlamagna@tenroses.com.ar> writes:

> Yes, i want to login to a server though ssh authenticating with public
> key, using the authorized_keys2 file located in the users home
> directory, i have this directive in sshd_config:

> AuthorizedKeysFile  ~/.ssh/authorized_keys2

> How can i do this ?

Like that, with making that directory world-readable.  However, after the
person logs in, they won't have AFS tokens, and you can't run the AFS PAM
module for those logins since it can't do anything meaningful without a
password.  (In general, you don't want to be using the pam_afs from the
OpenAFS source tree at all unless you're running a Kerberos infrastructure
based on AFS kaserver, which you don't want to be doing, so I'll just go
back to "you don't want to be using that module at all.")

If you want people to be able to log in with ssh public key authentication
and also get an AFS token, well, the answer is that you can't do that.
There's no way currently to go from ssh public key authentication to an
AFS token.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>