Andrei Maslennikov wrote: > > On Tue, 24 Feb 2004, Jim Rees wrote: > > > I see that OpenSSH 3.8 was released today, with "New KerberosGetAFSToken > > option for sshd(8)." This sounds like good news. > > I tried it on Linux. First notes follow: > > 1) gssapi was replaced with gssapi-with-mic, and this means that > ssh_config now should contain: > > "GSSAPIAuthentication yes" > "GSSAPIDelegateCredentials yes". > > (to allow gssapi/mic authentication with delegation of credentials). > > 2) Connecting from a session without k5 creds: > ------------------------------------------- > The new option "KerberosGetAFSToken yes" works correctly. It allows > to obtain a token in a new pagsh with K5-passwd login. I have noted, > however, an annoying delay between the act of successful authentication > and the moment when the tokenized session is finally established. > > In particular, client says: > > "debug1: Authentication succeeded" > > then server says: > > "debug1: server_input_channel_open: confirm session" > > and then server sleeps several *very* visible seconds prior to > continue correctly.
Do you have some PAM routine yo get the AFS token? > > With 3.7.1p2 and k5env/afslog everything works much faster. > > > 3) Connecting from a session wit k5 creds: > --------------------------------------- > GSSAPI authentication works and K5 credentials are being > forwarded correctly. However, while I am admitted to the host > with gssapi-with-mic, I am not getting token/pagsh anymore > (like in case of K5-password login). > > I might have missed something. But the first impression is that > 3.8p1 is i) a good step forward, but ii) still has to be worked on. Did you set "KerberosGetAFSToken yes" in the sshd_config? Do you have kafs, or a PAM exit or the get_afs_token, (I have a newer version whihc does the setpag in the current process) > > Andrei. > > _______________________________________________ > OpenAFS-devel mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-devel -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
