Openssh + AFS

Michael Loftis mloftis at
Wed May 28 06:10:58 EST 2008

--On May 27, 2008 7:34:42 PM +0200 Rainer Laatsch <Laatsch at> 

> The native authentication methods of openssh are
> (not counting insecure RhostsRSAAuthentication)
> 1) public key
> 2) password
> For users with home dirs in AFS space, method 1) does not work.
> Except with (non foolproof) fiddling on the access controls within
> the home directory. This might lead to security issues when done
> by inexperienced users.
> Without some work, only 2) remains. Being forced to send the most
> intimate credential instead of an ssh-key is not that nice.
> The use of Krb5 ticket passing with GSS-API is thought to be useful.
> But the authentication is done 'under the hood'; the administrator
> has no chance to issue finer controls regarding then ticket contents.
> When the ticket is accepted but not sufficient to open up the home dir,
> the user must be forced out in the behind.
> I would like to propose an initial credential exchange phase. The client
> might send ticket, x509-creds, afs-tokens or whatever. This should not
> authenticate the user, but help in authentcation with other methods.
> If activation of these credentials allows access to the AFS home dir,
> standard ssh-key authentication can be done. So a double
> authentication is enforced: the credentials must be sufficient for AFS
> and an ssh-key (from within protected AFS space) authentication has to be
> successful.

I run sshd under k5start so it can obtain tokens to read public-key files 
from users.  The ACLs are set by default to allow the daemon RO access. 
Users still need to use GSS-API though or they get 'forced out in the 
behind' as you call it when they can't access their homedir.

> Patches for a working example can be found in
>  /afs/
> It implements AFS-Token-passing and Krb5-ticket-passing for protocol-2
> (adding X509-cred-passing should be easy).
> A flag 'AllowCredPassing' in the ssh config files might increase the
> acceptability for that.
> Best regards,
> Rainer Laatsch
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

More information about the openssh-unix-dev mailing list