Openssh + AFS

Rainer Laatsch Laatsch at
Wed May 28 03:34:42 EST 2008

The native authentication methods of openssh are
(not counting insecure RhostsRSAAuthentication)
1) public key
2) password
For users with home dirs in AFS space, method 1) does not work.
Except with (non foolproof) fiddling on the access controls within
the home directory. This might lead to security issues when done
by inexperienced users.

Without some work, only 2) remains. Being forced to send the most
intimate credential instead of an ssh-key is not that nice.

The use of Krb5 ticket passing with GSS-API is thought to be useful.
But the authentication is done 'under the hood'; the administrator
has no chance to issue finer controls regarding then ticket contents.
When the ticket is accepted but not sufficient to open up the home dir,
the user must be forced out in the behind.

I would like to propose an initial credential exchange phase. The client
might send ticket, x509-creds, afs-tokens or whatever. This should not
authenticate the user, but help in authentcation with other methods.
If activation of these credentials allows access to the AFS home dir,
standard ssh-key authentication can be done. So a double
authentication is enforced: the credentials must be sufficient for AFS
and an ssh-key (from within protected AFS space) authentication has to be

Patches for a working example can be found in
It implements AFS-Token-passing and Krb5-ticket-passing for protocol-2
(adding X509-cred-passing should be easy).
A flag 'AllowCredPassing' in the ssh config files might increase the
acceptability for that.

Best regards,
Rainer Laatsch

More information about the openssh-unix-dev mailing list