Openssh + AFS, ssh-key login working
Rainer Laatsch
Laatsch at uni-koeln.de
Sun Jun 8 10:17:53 EST 2008
SSH key login and finally getting an AFS token can be made working like
this. It uses the feature of the shell to include a .bashrc or .kshrc
upon every reexec of the shell.
- move all .profiles to a public subdir ( $HOME/public ) ;
AFS acl's "system:anyuser rl"
- make links from $HOME/ to these -> $HOME/public/
- move authorized_keys from .ssh/ to $HOME/public/authorized_keys
- make link .ssh/authorized_keys to $HOME/public/authorized_keys
- for $HOME and $HOME/.ssh, the acl's "§LOGNAME all system:anyuser none"
may be left like that (no change whatever).
Thats all for the setup.
Have a key made:
- ssh-keygen -N '' ... (say into .ssh/id_rsa)
- cat .ssh/id_rsa.pub >> $HOME/public/authorized_keys
This is the point: Add in front of your .bashrc / .kshrc
# ---
[ "$PAGSHDONE" ==""] &&
export PAGSHDONE=true &&
exec /usr/afsws/bin/pagsh -c "exec $SHELL"
[ "$TOKENDONE" == "" ] &&
export TOKENDONE=true &&
/opt/krb5/bin/gssklog # or aklog, whatever
Now always ssh to $host in 2 steps:
scp /tmp/krb5cc_$uid $host &&
ssh $host
To remedy the case of leftover tickets, the end of your .bashrc / .kshrc
may read
# ---
tty -s || kdestroy #throw away when interactive; does not influence scp
Best regards,
Rainer Laatsch
More information about the openssh-unix-dev
mailing list