[OpenAFS-port-darwin] Tokens on SSH login?

[Nate Coraor]

On May 8, 2007, at 2:12 PM, Russ Allbery wrote:

> At least in theory, http://www.eyrie.org/~eagle/software/pam-afs- 
> session/
> will support Mac OS X, or at least compile on it.  I'm not sure that
> anyone has tried to use it, but you may want to give it a shot.  If  
> ssh
> will runn the session stack of PAM after doing KerberosAuthentication,
> that should work.

Thanks Russ,

You can now mark that theory down as proven fact. ;)

Builds fine and everything works.  Just drop it in the bottom of the  
sshd PAM stack:

session    optional       pam_afs_session.so

For the record, it also works with forwarded tickets as long as you set:

     GSSAPIAuthentication yes
     GSSAPIDelegateCredentials yes

in your SSH config.

--nate