Jim Rees wrote: > James Rogers wrote: > > I believe krb5 forwarding requires a host principal for the > forwarding machine. Do you have one for your home machine? > > No, I think you need the host key on the forwarded-to (server) machine. And > you need GSSAPIAuthentication in the ssh config on both the client and > server, and GSSAPIDelegateCredentials on the client. And "afs-use-524 = 2b" > in your krb5.conf. You also need the equivalent of aklog on the server > side, which the appropriate pam module can do for you (I don't use pam). > And if you're doing X forwarding and your home directory is in afs, you'll > need to move the Xauthority file to the local disk. > Thanks for the clues, I am probably missing the host principal. I did try various settings of the GSSAPI ssh config parameters, but they didn't seem to change the behavior. For the host principle, do I need to have those in keytabs?
I searched for documentation and found all sorts of stuff, but most of it was about older versions of OpenSSH and OpenAFS and didn't apply any longer. That added to the confusion, and then there are the other related confusion factors, like getting tokens associated with the userid instead of a pag, or accidentally available to sshd, so stuff seems to work for one user anyway until sshd restarts, or sshd and pam claim to get tickets and tokens and then loses them, privilege separation, .... It really was simpler (back in the day), when all that you had to do was add one option to OpenSSH and poof you had tokens.... Thanks, Ken > This is probably all documented somewhere. > > I think it would be nice if you could use ssh credentials for the login > authentication, and still delegate the kerberos ticket. Then you wouldn't > need the host key on the server. But this is apparently considered a > problem. > > Even nicer would be token forwarding, like we had back in the good old days. > That would make it easier for those of us who need tokens in multiple cells. > But you can't have everything. > _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
