[31778] in Kerberos
Re: Kerberos tickets, SSH public key auth, AFS tokens
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Dec 16 17:40:23 2009
Message-ID: <4B2961BE.4090200@anl.gov>
Date: Wed, 16 Dec 2009 16:39:58 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Jeff Blaine <jblaine@stage-infinity.com>
In-Reply-To: <4B29532B.9060808@stage-infinity.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeff Blaine wrote:
> Long ago, we evaluated the facilities within OS-provided
> sshd for handling our Kerberos + OpenAFS authentication
> needs. That is, things like the Kerberos* settings,
> GetAFSToken or whatever it was called, etc.
>
> We found it to be an unusable mismatched moving target.
>
> We decided to do everything via PAM, with the exception
> of ssh public key auth for those who choose to use it
> and not get OpenAFS tokens automatically.
>
> It works great thanks to pam_krb5 and pam_afs_session
> from Russ Alberry.
>
> Our problem now is, of course, that people are complaining
> about the number of times they have to type a password.
>
> Can some of you hint to me what I should be researching
> as a solution to this? Essentially we need a non-interactive
> way to get OpenAFS tokens via krb5 creds, and I am pretty
> clueless about such things. More specifically, this has
> all come about from users complaining about CVS-via-SSH
> requiring a password in order to get tokens.
ssh could use "GSSAPIDelegateCredentials yes" to forward
Krb5 tickets, and the sshd could then use pam_afs_session
to get the token, even for CVS.
But this won't work with ssh public keys. If its winCVS
on Windows you are interested in, it too can support GSSAPI.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
