SSH with K5/AFS: anyone?
Douglas E. Engert
deengert at anl.gov
Wed Aug 25 16:51:27 EDT 2004
Sensei wrote:
> Hi. I don't have luck with SSH and K5/AFS. I'm trying to make a
> passwordless ssh trusting the k5 tickets and granting the access to afs
> using aklog (pam_openafs_session).
>
> I have these configuration: server with debian stable, ssh 3.6 ---
> clients with gentoo ssh 3.9, nothing seems to work properly. I tried
> some solutions:
>
> - UsePAM yes PasswordAuthentication yes does not work
> - Kerberos* yes does not work
> - Kerberos* yes GSSAPI* does not work
> - PriviledgeSeparation no/yes does not work
> - ...
>
> I don't have an idea. I waited till ssh 3.9, but nothing.
See http://bugzilla.mindrot.org/show_bug.cgi?id=918
as a start.
>
> Has anyone *EVER* succeeded in using passwordless ssh with kerberos and afs?
>
Yes use it all the time with gssapi. But we have a local mod to
get the PAG and token. The above patch to 3.9 should allow the
pam_openafs_session to see the KRB5CCNAME, or is a start so the
pam_openafs_session can be convertd to a pam_sm_setcred to
use the KRB5CCNAME in all cases.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list