KerberosGetAFSToken drives me crazy

Darren Tucker dtucker at
Thu Nov 10 21:49:18 EST 2005

Jan Bilang wrote:
> every time i enable the option "KerberosGetAFSToken yes" on a computer where
> the afs-client works fine i get a (/var/log/)message(s) like this:
> "sshd[1136]: rexec line 70: Unsupported option KerberosGetAFSToken".

In addtion to requiring Kerberos support, that option only works if your 
Kerberos implementation has the required AFS bits (k_setpag() and a few 
other calls) and at the moment, only Heimdal has them.  There was talk 
of adding them as an external library for MIT Kerberos but as far as I 
know that's never happened.

Depending on what your OS vendors have done, it might be possible to 
configure AFS to work via a PAM module, but that's going to be vendor 

(Hmm, I see that FC3 has a "krbafs" package which implements some but 
not all of the functions needed.  I don't know if it could be made to 

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list