Kerberos tickets, SSH public key auth, AFS tokens
Douglas E. Engert
deengert at anl.gov
Wed Dec 16 17:39:58 EST 2009
Jeff Blaine wrote:
> Long ago, we evaluated the facilities within OS-provided
> sshd for handling our Kerberos + OpenAFS authentication
> needs. That is, things like the Kerberos* settings,
> GetAFSToken or whatever it was called, etc.
>
> We found it to be an unusable mismatched moving target.
>
> We decided to do everything via PAM, with the exception
> of ssh public key auth for those who choose to use it
> and not get OpenAFS tokens automatically.
>
> It works great thanks to pam_krb5 and pam_afs_session
> from Russ Alberry.
>
> Our problem now is, of course, that people are complaining
> about the number of times they have to type a password.
>
> Can some of you hint to me what I should be researching
> as a solution to this? Essentially we need a non-interactive
> way to get OpenAFS tokens via krb5 creds, and I am pretty
> clueless about such things. More specifically, this has
> all come about from users complaining about CVS-via-SSH
> requiring a password in order to get tokens.
ssh could use "GSSAPIDelegateCredentials yes" to forward
Krb5 tickets, and the sshd could then use pam_afs_session
to get the token, even for CVS.
But this won't work with ssh public keys. If its winCVS
on Windows you are interested in, it too can support GSSAPI.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list