[OpenAFS] OS X 10.5 and kerberos ssh logins
Adeyemi Adesanya
yemi@slac.stanford.edu
Wed, 29 Jul 2009 14:26:49 -0700
Hi Andy.
Thanks for the info regarding sshd from macports. I'll check it out.
We can login via password using pam_KFM.so .
-------
Yemi
On Jul 29, 2009, at 2:16 PM, Andy Cobaugh wrote:
> On 2009-07-29 at 14:07, Adeyemi Adesanya ( yemi@slac.stanford.edu )
> said:
>>
>> Hi There.
>>
>> We've had a long standing issue with OS X 10.5 (Leopard) and I just
>> wanted to check with folks to see if anyone has solved it. We are
>> able to perform Kerberos SSH logins to 10.5 clients using the SSH
>> GSSAPI options GSSAPIAuthentication and GSSAPIDelegateCredentials.
>> As long as I have a valid kerberos ticket, I can log into my 10.5
>> systems without supplying a password. However, there does not
>> appear to be any sign that the forwarded kerberos ticket is cached
>> on the remote system. As a result, I cannot obtain an AFS token
>> automatically. This was working for us under 10.4 but we have not
>> found a solution for 10.5. Looks like the problem still exists for
>> 10.6 too.
>
> Use the sshd from macports. Apple's sshd is trying to use their
> credential caching mechanism, which would appear to store the
> credentials in your home directory, which if it's in AFS obviously
> won't work.
>
> Are you able to login at all _without_ GSSAPI, i.e. with a password?
> We're unable to, and that's the only major problem we're still
> seeing. Although come to think about it, this might be alleviated if
> we use Russ's pam_krb5, hmm...
>
> --andy
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info