[31775] in Kerberos
Kerberos tickets, SSH public key auth, AFS tokens
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Wed Dec 16 17:17:01 2009
Message-ID: <4B29532B.9060808@stage-infinity.com>
Date: Wed, 16 Dec 2009 16:37:47 -0500
From: Jeff Blaine <jblaine@stage-infinity.com>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Long ago, we evaluated the facilities within OS-provided
sshd for handling our Kerberos + OpenAFS authentication
needs. That is, things like the Kerberos* settings,
GetAFSToken or whatever it was called, etc.
We found it to be an unusable mismatched moving target.
We decided to do everything via PAM, with the exception
of ssh public key auth for those who choose to use it
and not get OpenAFS tokens automatically.
It works great thanks to pam_krb5 and pam_afs_session
from Russ Alberry.
Our problem now is, of course, that people are complaining
about the number of times they have to type a password.
Can some of you hint to me what I should be researching
as a solution to this? Essentially we need a non-interactive
way to get OpenAFS tokens via krb5 creds, and I am pretty
clueless about such things. More specifically, this has
all come about from users complaining about CVS-via-SSH
requiring a password in order to get tokens.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
