Re+: Openssh + AFS, Script for key login without passwords
Rainer Laatsch
Laatsch at uni-koeln.de
Sun Jun 15 19:07:05 EST 2008
Find it here:
/afs/rrz.uni-koeln.de/admin/public/.bashrc
Laatsch at uni-koeln.de
Using it as your .bashrc or .kshrc on the target host allows you to
- forward credentials (tickets) to /tmp/
- logging in with ssh, these are used to get a token (under a PAG)
if the home dir is in AFS
- the creds are moved to $HOME/private
- on non-private hosts, an exit trap handler is in place to (k)destroy
the credentials.
I would like to give this as a contribution to the SSH community.
Best regards
Rainer Laatsch
On Sun, 8 Jun 2008, Rainer Laatsch wrote:
> SSH key login and finally getting an AFS token can be made working like
> this. It uses the feature of the shell to include a .bashrc or .kshrc
> upon every reexec of the shell.
>
> - move all .profiles to a public subdir ( $HOME/public ) ;
> AFS acl's "system:anyuser rl"
> - make links from $HOME/ to these -> $HOME/public/
> - move authorized_keys from .ssh/ to $HOME/public/authorized_keys
> - make link .ssh/authorized_keys to $HOME/public/authorized_keys
> - for $HOME and $HOME/.ssh, the acl's "§LOGNAME all system:anyuser none"
> may be left like that (no change whatever).
> Thats all for the setup.
>
> Have a key made:
> - ssh-keygen -N '' ... (say into .ssh/id_rsa)
> - cat .ssh/id_rsa.pub >> $HOME/public/authorized_keys
>
> This is the point: Add in front of your .bashrc / .kshrc
> # ---
> [ "$PAGSHDONE" ==""] &&
> export PAGSHDONE=true &&
> exec /usr/afsws/bin/pagsh -c "exec $SHELL"
> [ "$TOKENDONE" == "" ] &&
> export TOKENDONE=true &&
> /opt/krb5/bin/gssklog # or aklog, whatever
>
> Now always ssh to $host in 2 steps:
>
> scp /tmp/krb5cc_$uid $host &&
> ssh $host
>
> To remedy the case of leftover tickets, the end of your .bashrc / .kshrc
> may read
> # ---
> tty -s || kdestroy #throw away when interactive; does not influence scp
>
>
> Best regards,
> Rainer Laatsch
More information about the openssh-unix-dev
mailing list