Openssh + AFS, easy solution

[Rainer Laatsch]

Checking out key-login further lead me to this solution.

- Put the authorized_keys to $HOME/public/authorized_keys (read access for
  anybody)

- Added to sshd_config:
AuthorizedKeysFile  %h/public/authorized_keys
AuthorizedKeysfile2 %h/.ssh/authorized_keys

- Have an id_rsa.pub line enabled in authorized_keys

Now i could login with ssh-key. But the homedir in afs would be
inaccessible.

The remedy can be done in a two step approach:

- Send my ticket by ssh/scp and key to the host's /tmp/
- login per ssh and key:

  'pam_auth'               was skipped by sshd

  'pam_account sufficient' checks my ticket by refreshing (kinit -R)
  'pam_account required'   else does exec 'kinit -r 1day' to get a
                           refreshable ticket

  'pam_session sufficient' now gets me a token (gssklog)

My Pam-Module always sets a PAG for non-root accounts and throws the
ticket away as soon as possible (just use it to get a token).

This could also be extended to allow tickets from another realm
without cross realm/cell setup. Pam just gets user at realm from the ticket;
if that realm is allowed, it requests a refresh from that realms kdc.

Best regards,
Rainer Laatsch