Kerberos tickets, SSH public key auth, AFS tokens

Russ Allbery rra at stanford.edu
Wed Dec 16 17:37:22 EST 2009


Jeff Blaine <jblaine at stage-infinity.com> writes:

> We decided to do everything via PAM, with the exception of ssh public
> key auth for those who choose to use it and not get OpenAFS tokens
> automatically.

> It works great thanks to pam_krb5 and pam_afs_session from Russ Alberry.

> Our problem now is, of course, that people are complaining about the
> number of times they have to type a password.

> Can some of you hint to me what I should be researching as a solution to
> this?  Essentially we need a non-interactive way to get OpenAFS tokens
> via krb5 creds, and I am pretty clueless about such things.  More
> specifically, this has all come about from users complaining about
> CVS-via-SSH requiring a password in order to get tokens.

If you run an ssh server that supports GSSAPI authentication and your
users use ssh clients that support GSSAPI authentication and do ticket
forwarding, pam_afs_session will then automatically get an AFS token with
the forwarded ticket.  The stock OpenSSH distribution now supports both
authentication and ticket forwarding, as I believe does Sun's ssh
implementation.  On Windows systems, I believe SecureCRT also supports
both GSSAPI authentication and ticket forwarding.

The key configuration options are, on the sshd side:

    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes

and on the ssh client side:

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

The last setting you usually want to have the user put in a specific Host
block that's restricted to only trusted systems, since forwarding tickets
around willy-nilly is a bad idea.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list