Long ago, we evaluated the facilities within OS-provided sshd for handling our Kerberos + OpenAFS authentication needs. That is, things like the Kerberos* settings, GetAFSToken or whatever it was called, etc.
We found it to be an unusable mismatched moving target. We decided to do everything via PAM, with the exception of ssh public key auth for those who choose to use it and not get OpenAFS tokens automatically. It works great thanks to pam_krb5 and pam_afs_session from Russ Alberry. Our problem now is, of course, that people are complaining about the number of times they have to type a password. Can some of you hint to me what I should be researching as a solution to this? Essentially we need a non-interactive way to get OpenAFS tokens via krb5 creds, and I am pretty clueless about such things. More specifically, this has all come about from users complaining about CVS-via-SSH requiring a password in order to get tokens. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
