sshd with afs tokens?

Booker Bense bbense at SLAC.Stanford.EDU
Fri Aug 1 17:04:10 EDT 2003

On Fri, 1 Aug 2003, bil wrote:

> Does anyone out there have any pointers on getting afs tokens via sshd for
> remote login, either via including afs/kerberos in the ssh build, or via
> pam?

- There are various hacks to get openssh to forward afs tokens.
They only work if you are using version 1 of the protocol.

> Here's what we've tried (apologies in advance for my ignorance of the unix
> level) with the sshd, trying to build with afs and kerberos.
> *The included sshd doesn't seem to include support for kerberos 4 and afs.
> *Got some help from our apple engineer, who got some instructions from a
> fellow at the fermilab on building openssh against kerberos5 (but we're a
> kerberos4 /afs shop). That helped us run down the road until we hit the
> first tree.
> *Ideally, we'd like to get this to work with the built in kerberos, but
> sshd wouldn't build against it, said there was a missing library. Make
> failed tho since it couldn't find kafs.h.
> *Installed KTH-krb, that went ok, and got opssh to make against that and
> got it running, but now it seems to be failing because we don't have the
> kerberos services registered (sshd debug line is "Kerberos v4 TGT for xxxx
> unverifiable: (null); rcmd.gilgamesh not registered, or srvtab is wrong?").
> Any ideas?

- If you're going to login with username and passwd using
kerberos 4 as the authentication method you MUST have a srvtab
for rcmd on the machine you are attempting to log into. If you
want to login via the local passwd mechanism and then attempt to
get an afs token, then you should look into various afs PAM

- Booker C. Bense

More information about the krbdev mailing list