Dear list,
While fiddling around to move my home directories onto AFS, I notice a
bit of interesting behaviour. At a first glance, everything seems just
fine. When logging in through the Krb5 mechanism (as defined in
login.conf), OpenSSH nicely obtains an AFS token for me. Use case:
Windows SSH client entering a username/password upon connecting.
The following scenario, however, does not get me AFS tickets in my
shell: obtaining Krb5 credentials on the client and logging into
OpenSSH through GSSAPI. Although logging in seems to have nicely
transfered my Krb5 ticket, OpenSSH does not obtain an AFS token for
me. Running afslog manually fixes this, but I would greatly prefer to
have afslog run automatically.
Browsing the archives, I gather GSSAPI and Kerberos are treated
differently, but I cannot distill a solution from the results. Is
there any? I'm presently thinking of ways to get 'afslog' to run after
the GSSAPI login is completed. Would the 'approve' stanza in
login.conf and a small work for this purpose?
Reading the manual, I do get the feeling approve wasn't meant for this
sort of thing, but I figured to best ask here for some good advice.
Insight or a good cluebat are most appreciated.
I'm thinking along the lines of:
(in /etc/login.conf)
:approve=/usr/local/bin/auto-afslog:\
:approve-ftp=/usr/local/bin/auto-afslog:\
(for the script)
#!/bin/sh
AFSLOG="/usr/bin/afslog"
${AFSLOG} -p ${HOME}
For a ${HOME} based in AFS filespace. If ${HOME} were to be outside
AFS file space, I wouldn't mind the login to fail, since that would be
a worthwhile incident to investigate.
Cheers,
Rogier
--
If you don't know where you're going, any road will get you there.
