Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
I am using PAM + AFS to authenticate the user, i have given persmissions to everybody read the .ssh directory of the users home directory, but ssh complains with: pam_afs[25129]: AFS Won't use illegal password for user walter How could i resolve it ? Thanks Walter On Thu, 2007-03-08 at 10:20 -0500, Jim Rees wrote: Alexander Al wrote: I'll tell the user : can't (because he is connecting from outside.) That's the wrong answer. This should go in a FAQ somewhere. You just need to make the public key world readable. That's difficult because ssh wants to put public and private keys both in the same directory, and afs puts the same acls on all files in a directory. But with creative use of symlinks it can certainly be done. Here is how I do it. It's not the only way, maybe not the best way, but it works for me. % cd .ssh % ls -l total 17 -rw-r--r-- 1 rees staff 828 Nov 16 2005 authorized_keys -rw-r--r-- 1 rees staff62 Dec 18 17:08 check-dups lrwxr-xr-x 1 rees wheel14 Jan 1 1999 config - private/config -rw-r--r-- 1 rees staff52 Jan 10 2006 config-um -rw-r--r-- 1 rees wheel31 Jan 1 1999 environment lrwxr-xr-x 1 rees wheel14 Oct 13 2000 id_dsa - private/id_dsa -rw-r--r-- 1 rees wheel 604 Oct 13 2000 id_dsa.pub lrwxr-xr-x 1 rees wheel14 Jun 30 2003 id_rsa - private/id_rsa -rw-r--r-- 1 rees staff 224 Jun 30 2003 id_rsa.pub lrwxr-xr-x 1 rees wheel16 Mar 7 1997 identity - private/identity -rw-r--r-- 1 rees wheel 333 Feb 8 1999 identity.pub lrwxr-xr-x 1 rees wheel19 Mar 7 1997 known_hosts - private/known_hosts drwxr-xr-x 2 rees wheel 2048 Mar 5 12:16 private lrwxr-xr-x 1 rees wheel19 Mar 7 1997 random_seed - private/random_seed ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
Walter Lamagna [EMAIL PROTECTED] writes: I am using PAM + AFS to authenticate the user, i have given persmissions to everybody read the .ssh directory of the users home directory, but ssh complains with: pam_afs[25129]: AFS Won't use illegal password for user walter How could i resolve it ? If this is still in the context of password-less login, you can't use the AFS PAM module that comes in the OpenAFS source tree with that. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
On 8 Mar 2007, at 10:16, Alexander Al wrote: Is there a possibility that you can use the authorized keys with ssh? The problem is that ssh's authorized keys authentication mechanism has no way of getting you a Kerberos ticket, and therefore, no way of getting you an AFS token in order to access your files. You'll need to explicitly kinit and aklog once you've logged in. Of course, if you have Kerberos on the machine you're connecting from, you can use Kerberos to give you passwordless login, forwarding your tickets to your workstation, and then have a PAM module get your AFS tokens as part of the login process. Simon. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
Simon Wilkinson wrote: On 8 Mar 2007, at 10:16, Alexander Al wrote: Is there a possibility that you can use the authorized keys with ssh? The problem is that ssh's authorized keys authentication mechanism has no way of getting you a Kerberos ticket, and therefore, no way of getting you an AFS token in order to access your files. You'll need to explicitly kinit and aklog once you've logged in. Of course, if you have Kerberos on the machine you're connecting from, you can use Kerberos to give you passwordless login, forwarding your tickets to your workstation, and then have a PAM module get your AFS tokens as part of the login process. Thanks. Very Helpfull. I'll tell the user : can't (because he is connecting from outside.) regards Alexander. -- Alexander Al Leiden, Die Niederlande ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
Alexander Al wrote: I'll tell the user : can't (because he is connecting from outside.) That's the wrong answer. This should go in a FAQ somewhere. You just need to make the public key world readable. That's difficult because ssh wants to put public and private keys both in the same directory, and afs puts the same acls on all files in a directory. But with creative use of symlinks it can certainly be done. Here is how I do it. It's not the only way, maybe not the best way, but it works for me. % cd .ssh % ls -l total 17 -rw-r--r-- 1 rees staff 828 Nov 16 2005 authorized_keys -rw-r--r-- 1 rees staff62 Dec 18 17:08 check-dups lrwxr-xr-x 1 rees wheel14 Jan 1 1999 config - private/config -rw-r--r-- 1 rees staff52 Jan 10 2006 config-um -rw-r--r-- 1 rees wheel31 Jan 1 1999 environment lrwxr-xr-x 1 rees wheel14 Oct 13 2000 id_dsa - private/id_dsa -rw-r--r-- 1 rees wheel 604 Oct 13 2000 id_dsa.pub lrwxr-xr-x 1 rees wheel14 Jun 30 2003 id_rsa - private/id_rsa -rw-r--r-- 1 rees staff 224 Jun 30 2003 id_rsa.pub lrwxr-xr-x 1 rees wheel16 Mar 7 1997 identity - private/identity -rw-r--r-- 1 rees wheel 333 Feb 8 1999 identity.pub lrwxr-xr-x 1 rees wheel19 Mar 7 1997 known_hosts - private/known_hosts drwxr-xr-x 2 rees wheel 2048 Mar 5 12:16 private lrwxr-xr-x 1 rees wheel19 Mar 7 1997 random_seed - private/random_seed ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
Jim Rees wrote: Alexander Al wrote: I'll tell the user : can't (because he is connecting from outside.) That's the wrong answer. This should go in a FAQ somewhere. You just need to make the public key world readable. That's difficult because ssh wants to put public and private keys both in the same directory, and afs puts the same acls on all files in a directory. But with creative use of symlinks it can certainly be done. Here is how I do it. It's not the only way, maybe not the best way, but it works for me. Ok. Sounds cool. (really, for me it should work) And now for 3500 users? :) regards, Alexander. -- Alexander Al Leiden, Die Niederlande ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
On Mar 8, 2007, at 10:20, Jim Rees wrote: Alexander Al wrote: I'll tell the user : can't (because he is connecting from outside.) ...or, if he has a kerberos gss-api-ticket-passing enabled ssh on his end, he can kinit to your realm and make the magic happen ;) -rob Robert Banz Coordinator, Core Systems [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
I ssh into my cell home.ted-doris.fam from remote sites, kinit and aklog. Works great. No vpn required. tedc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Banz Sent: Thursday, March 08, 2007 6:49 AM To: Jim Rees Cc: Alexander Al; Simon Wilkinson; openafs-info@openafs.org Subject: Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation. On Mar 8, 2007, at 10:20, Jim Rees wrote: Alexander Al wrote: I'll tell the user : can't (because he is connecting from outside.) ...or, if he has a kerberos gss-api-ticket-passing enabled ssh on his end, he can kinit to your realm and make the magic happen ;) -rob Robert Banz Coordinator, Core Systems [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
