Kerberos tickets, SSH public key auth, AFS tokens

[Jeff Blaine]

Long ago, we evaluated the facilities within OS-provided
sshd for handling our Kerberos + OpenAFS authentication
needs.  That is, things like the Kerberos* settings,
GetAFSToken or whatever it was called, etc.

We found it to be an unusable mismatched moving target.

We decided to do everything via PAM, with the exception
of ssh public key auth for those who choose to use it
and not get OpenAFS tokens automatically.

It works great thanks to pam_krb5 and pam_afs_session
from Russ Alberry.

Our problem now is, of course, that people are complaining
about the number of times they have to type a password.

Can some of you hint to me what I should be researching
as a solution to this?  Essentially we need a non-interactive
way to get OpenAFS tokens via krb5 creds, and I am pretty
clueless about such things.  More specifically, this has
all come about from users complaining about CVS-via-SSH
requiring a password in order to get tokens.