A V Le Blanc <[EMAIL PROTECTED]> writes: > I think the (very old) patched ssh we used which forwarded AFS tokens > did this, but I may be mistaken.
Oh, yeah, that's possible. I haven't used that for so long that I don't remember. > I find that if I login on one machine with openssh-4.2 and get kerberos > tickets for a user, I can login to another machine using '-o > GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes', and this > _does_ get AFS authentication and passes the kerberos credentials > across. The user in question has his home directory in /afs, and it is > not world readable, nor is anything under it, so the GSSAPI > authentication does not need access to authorized_keys files. Right. GSSAPI authentication with openssh-4.2 in Debian has been patched to do key exchange and therefore works entirely with Kerberos credentials and doesn't require any of the standard ssh host key or .ssh/authorized_keys stuff. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
