After looking into this, I realize I misspoke. We're still using the default RedHat EL 3.0's sshd, as well as Debian's vendor binaries. I forgot that we want to be able to ssh to our machines if our fileservers holding the packages aren't available because of [your_favorite_disaster_here]. :)
On my development sarge/etch machines, common-auth looks like this: [snip] auth optional pam_krb5.so auth sufficient pam_afs.so try_first_pass ignore_root auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_deny.so [/snip] There are minor problems with this layering and some options, but nothing security-related... that I can tell, anyway. Our RHEL3 system-auth is a bit more broken, but the same stacking. I don't have the config info for RHEL or Debian in front of me, but neither is linked against AFS, though RHEL's is linked against some krb5 libs: libkrb5.so.3, libk5crypto.so.3, libgssapi_krb5.so.2 We're not doing ticket or token forwarding, so it doesn't matter to us how sshd is compiled anyway -- pam handles the auth... at least, that's my understanding. Feel free to educate me, though. Cheers, Kevin ----- Kevin Sumner Assistant Unix Administrator Physics and Astronomy Networking Infrastructure and Computing University of North Carolina at Chapel Hill [EMAIL PROTECTED] On Tue, 17 Oct 2006, Daniel Clark wrote: > On 10/17/06, Kevin Scott Sumner <[EMAIL PROTECTED]> wrote: > > > With just some configuration changes, the kdc authentication, > > token-getting > > and ticket-getting all worked out of the box once-upon a time... although, > > we now have compiled our own version of ssh/sshd. > > > This seems sort of unavoidable if you want to use some of the more advanced > OpenAFS/Kerberos related features, esp. if you must support platforms other > than Debian/Ubuntu. > > Do you happen to have specs of your OpenSSH compiles anywhere? > > I am also doing this; my work is up at [1]; I just got stuff to compile > cleanly, but still need to test against Kerberos 5 / PAM / OpenAFS etc. > > [1] http://www.dclark.us/encaps/profiles/openssh-4.4p1.ep > > Cheers, > -Danny > > > -- > > _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
