Re: KerberosGetAFSToken drives me crazy

This is a discussion on Re: KerberosGetAFSToken drives me crazy within the OpenSSH Development forums, part of the Networking and Network Related category; The other approach is to not have any direct Kerberos or AFS support at all in ssh or sshd. But ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Re: KerberosGetAFSToken drives me crazy

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 11-10-2005
Douglas E. Engert
 
Posts: n/a
Default Re: KerberosGetAFSToken drives me crazy

The other approach is to not have any direct Kerberos or AFS support at all in ssh
or sshd. But rather use the GSSAPI and PAM with sshd to get AFS tokens
from the forwarded GSSAPI credentials i.e. forwarded K5 tickets. This then
avoids problems if the vendor did not compile in the options you wanted
or use the Kerberos distributions you wanted.

We use the vendor's pam_krb5 if possible for the keyboard interactive,
and a pam_afs2 for the kewyboard interactive, and gssapi session. pam_afs2
will get an AFS PAG and call your favoriate aklog to get a token.

Drop me a note if you would like more information.


Robert Banz wrote:

> Darren Tucker wrote:
>
>>Jan Bilang wrote:
>>
>>>every time i enable the option "KerberosGetAFSToken yes" on a computer where
>>>the afs-client works fine i get a (/var/log/)message(s) like this:
>>>"sshd[1136]: rexec line 70: Unsupported option KerberosGetAFSToken".
>>
>>In addtion to requiring Kerberos support, that option only works if your
>>Kerberos implementation has the required AFS bits (k_setpag() and a few
>>other calls) and at the moment, only Heimdal has them. There was talk
>>of adding them as an external library for MIT Kerberos but as far as I
>>know that's never happened.
>>
>>Depending on what your OS vendors have done, it might be possible to
>>configure AFS to work via a PAM module, but that's going to be vendor
>>specific.
>>
>>(Hmm, I see that FC3 has a "krbafs" package which implements some but
>>not all of the functions needed. I don't know if it could be made to
>>work.)
>>
>
>
> I've actually gotten things to build with the krbafs package + MIT on
> multiple architectures (Solaris & OSX.) So, it's all there.
>
> -rob
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> http://www.mindrot.org/mailman/listi...enssh-unix-dev
>
>

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 08:47 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0