On Sat, May 04, 2002 at 02:34:09PM -0400, Ray Link wrote: > There is a way to do this with the newer versions of OpenSSH, but it > involves dorking with the structure of your ~/.ssh directory. > > Background info first: > > In older (pre-2.9, iirc) versions of OpenSSH, it would pass your AFS > token across during the authentication phase, so the remote sshd could > read your ~/.ssh/authorized_keys file (since the whole directory is > hopefully ACL'd to keep people out, as your private keys live there, > too.) Now that the remote sshd can read files in your ~/.ssh dir, RSA > key authentication can happen normally, and all is good. > > Currently, however, OpenSSH doesn't accept passed AFS tokens until > after authentication has already taken place. Since the remote sshd > doesn't have a token to read your aurthorized_key file, it falls back > to password auth. Once you're authed and it hits the session phase, > then and only then does the AFS token get passed. The general > consensus is that this was changed because passing an AFS token before > actual authentication happened was seen as a security risk.
I neded to pass tokens with kaserver too (no krb5 yet), so I made a patch, which passes token before authentication (as in openssh <= 2.9). Pavel Semerad _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
