Openssh + AFS, easy solution
Laatsch at uni-koeln.de
Thu Jun 5 03:04:27 EST 2008
Checking out key-login further lead me to this solution.
- Put the authorized_keys to $HOME/public/authorized_keys (read access for
- Added to sshd_config:
- Have an id_rsa.pub line enabled in authorized_keys
Now i could login with ssh-key. But the homedir in afs would be
The remedy can be done in a two step approach:
- Send my ticket by ssh/scp and key to the host's /tmp/
- login per ssh and key:
'pam_auth' was skipped by sshd
'pam_account sufficient' checks my ticket by refreshing (kinit -R)
'pam_account required' else does exec 'kinit -r 1day' to get a
'pam_session sufficient' now gets me a token (gssklog)
My Pam-Module always sets a PAG for non-root accounts and throws the
ticket away as soon as possible (just use it to get a token).
This could also be extended to allow tickets from another realm
without cross realm/cell setup. Pam just gets user at realm from the ticket;
if that realm is allowed, it requests a refresh from that realms kdc.
More information about the openssh-unix-dev