KerberosGetAFSToken drives me crazy

Robert Banz banz at
Fri Nov 11 04:40:13 EST 2005

Darren Tucker wrote:
> Jan Bilang wrote:
>> every time i enable the option "KerberosGetAFSToken yes" on a computer where
>> the afs-client works fine i get a (/var/log/)message(s) like this:
>> "sshd[1136]: rexec line 70: Unsupported option KerberosGetAFSToken".
> In addtion to requiring Kerberos support, that option only works if your 
> Kerberos implementation has the required AFS bits (k_setpag() and a few 
> other calls) and at the moment, only Heimdal has them.  There was talk 
> of adding them as an external library for MIT Kerberos but as far as I 
> know that's never happened.
> Depending on what your OS vendors have done, it might be possible to 
> configure AFS to work via a PAM module, but that's going to be vendor 
> specific.
> (Hmm, I see that FC3 has a "krbafs" package which implements some but 
> not all of the functions needed.  I don't know if it could be made to 
> work.)

I've actually gotten things to build with the krbafs package + MIT on 
multiple architectures (Solaris & OSX.)  So, it's all there.


More information about the openssh-unix-dev mailing list