Jeff Blaine wrote: > Long ago, we evaluated the facilities within OS-provided > sshd for handling our Kerberos + OpenAFS authentication > needs. That is, things like the Kerberos* settings, > GetAFSToken or whatever it was called, etc. > > We found it to be an unusable mismatched moving target. > > We decided to do everything via PAM, with the exception > of ssh public key auth for those who choose to use it > and not get OpenAFS tokens automatically. > > It works great thanks to pam_krb5 and pam_afs_session > from Russ Alberry. > > Our problem now is, of course, that people are complaining > about the number of times they have to type a password. > > Can some of you hint to me what I should be researching > as a solution to this? Essentially we need a non-interactive > way to get OpenAFS tokens via krb5 creds, and I am pretty > clueless about such things. More specifically, this has > all come about from users complaining about CVS-via-SSH > requiring a password in order to get tokens.
ssh could use "GSSAPIDelegateCredentials yes" to forward Krb5 tickets, and the sshd could then use pam_afs_session to get the token, even for CVS. But this won't work with ssh public keys. If its winCVS on Windows you are interested in, it too can support GSSAPI. > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos