[OpenAFS] OS X 10.5 and kerberos ssh logins

Andy Cobaugh phalenor@gmail.com
Wed, 29 Jul 2009 17:16:58 -0400 (EDT)


On 2009-07-29 at 14:07, Adeyemi Adesanya ( yemi@slac.stanford.edu ) said:
>
> Hi There.
>
> We've had a long standing issue with OS X 10.5 (Leopard) and I just wanted to 
> check with folks to see if anyone has solved it. We are able to perform 
> Kerberos SSH logins to 10.5 clients using the SSH GSSAPI options 
> GSSAPIAuthentication and GSSAPIDelegateCredentials. As long as I have a valid 
> kerberos ticket, I can log into my 10.5 systems without supplying a password. 
> However, there does not appear to be any sign that the forwarded kerberos 
> ticket is cached on the remote system. As a result, I cannot obtain an AFS 
> token automatically. This was working for us under 10.4 but we have not found 
> a solution for 10.5. Looks like the problem still exists for 10.6 too.

Use the sshd from macports. Apple's sshd is trying to use their credential 
caching mechanism, which would appear to store the credentials in your 
home directory, which if it's in AFS obviously won't work.

Are you able to login at all _without_ GSSAPI, i.e. with a password? 
We're unable to, and that's the only major problem we're still seeing. 
Although come to think about it, this might be alleviated if we use Russ's 
pam_krb5, hmm...

--andy