[OpenAFS] forwarding credentials with OpenSSH, Kerberos and pam-afs-session

Jim Rees rees@umich.edu
Thu, 6 Sep 2007 11:30:40 -0400

James Rogers wrote:

  I believe krb5 forwarding requires a host principal for the  
  forwarding machine. Do you have one for your home machine?

No, I think you need the host key on the forwarded-to (server) machine.  And
you need GSSAPIAuthentication in the ssh config on both the client and
server, and GSSAPIDelegateCredentials on the client.  And "afs-use-524 = 2b"
in your krb5.conf.  You also need the equivalent of aklog on the server
side, which the appropriate pam module can do for you (I don't use pam).
And if you're doing X forwarding and your home directory is in afs, you'll
need to move the Xauthority file to the local disk.

This is probably all documented somewhere.

I think it would be nice if you could use ssh credentials for the login
authentication, and still delegate the kerberos ticket.  Then you wouldn't
need the host key on the server.  But this is apparently considered a

Even nicer would be token forwarding, like we had back in the good old days.
That would make it easier for those of us who need tokens in multiple cells.
But you can't have everything.