Re+: Openssh + AFS, Script for key login without passwords

Rainer Laatsch Laatsch at uni-koeln.de
Sun Jun 15 19:07:05 EST 2008


Find it here:
 /afs/rrz.uni-koeln.de/admin/public/.bashrc
Laatsch at uni-koeln.de
Using it as your .bashrc or .kshrc on the target host allows you to
- forward credentials (tickets) to /tmp/
- logging in with ssh, these are used to get a token (under a PAG)
  if the home dir is in AFS
- the creds are moved to $HOME/private
- on non-private hosts, an exit trap handler is in place to (k)destroy
  the credentials.

I would like to give this as a contribution to the SSH community.

Best regards
Rainer Laatsch

On Sun, 8 Jun 2008, Rainer Laatsch wrote:
> SSH key login and finally getting an AFS token can be made working like
> this. It uses the feature of the shell to include a .bashrc or .kshrc
> upon every reexec of the shell.
>
> - move all .profiles to a public subdir ( $HOME/public ) ;
>    AFS acl's "system:anyuser rl"
> - make links from $HOME/ to these ->  $HOME/public/
> - move authorized_keys from .ssh/ to  $HOME/public/authorized_keys
> - make link .ssh/authorized_keys  to  $HOME/public/authorized_keys
> - for $HOME and $HOME/.ssh, the acl's "§LOGNAME all system:anyuser none"
>    may be left like that (no change whatever).
> Thats all for the setup.
>
> Have a key made:
> - ssh-keygen  -N '' ...  (say into .ssh/id_rsa)
> - cat .ssh/id_rsa.pub >> $HOME/public/authorized_keys
>
> This is the point: Add in front of your .bashrc / .kshrc
> # ---
> [ "$PAGSHDONE" ==""] &&
>        export PAGSHDONE=true &&
>          exec /usr/afsws/bin/pagsh -c "exec $SHELL"
> [ "$TOKENDONE" == "" ] &&
>        export TOKENDONE=true &&
>          /opt/krb5/bin/gssklog    # or aklog, whatever
>
> Now always ssh to $host in 2 steps:
>
>   scp /tmp/krb5cc_$uid $host  &&
>        ssh $host
>
> To remedy the case of leftover tickets, the end of your .bashrc / .kshrc
> may read
> # ---
> tty -s || kdestroy  #throw away when interactive; does not influence scp
>
>
> Best regards,
> Rainer Laatsch



More information about the openssh-unix-dev mailing list