AFS support?

From: Atro Tossavainen (
Date: 01/22/03

  • Next message: Enzo Balbo: "Question"
    From: Atro Tossavainen <>
    Date: Wed, 22 Jan 2003 10:04:50 +0200 (EET)

    I would like to ask those of you who use AFS and any kind of Secure
    Shell for AFS logins:

    * Are you still using SSH1 with Dug Song's obsolete patches?

    * Are you using OpenSSH, which (to my knowledge) only supports AFS
      logins with SSH protocol version 1 (since the internal AFS support
      in OpenSSH is derived from Dug Song's SSH1 patches)?

    * Do you have a solution for integrating SSH2 with AFS logins on any
      platform, one that does not involve PAM?

    I'm asking all this because we would like to be able to move on to SSH2
    but have an AFS environment with multiple platforms (Tru64, IRIX,
    Solaris, HP-UX, Linux), not all of which support PAM, but all of which
    need to have AFS login support, and all of which should ideally do it
    exactly the same way, i.e. internally in ssh.

    * I've been talking to my friends at SSH corp about the possibility of
      them producing a proper AFS patch for SSH2 that wouldn't treat AFS as
      vanilla Kerberos IV, which would allow the login session access to
      information such as "days until password expiration". So far, it
      looks like it's not going to happen - more important things to do,
      apparently, insufficient interest in existing customer base, and
      a total lack of interest on IBM's behalf.

      Would you be willing to purchase such a patch if they wrote one and
      it did the real thing?

      I know we would, but our site of far less than 100 UNIX machines
      doesn't quite have the necessary momentum. If there were a number
      of parties willing to pay for SSH to do this, the likelihood of the
      patch being written would probably increase.

    I am not affiliated with SSH Communications Security Corporation in any
    way other than that some of my friends work there. I am not even a
    stock owner. The University of Helsinki has no interest, financial or
    otherwise, in SSH Communications Security Corporation.

    I also don't need any bitching about issues regarding free software or
    SSH licensing conditions. I don't care, and it's none of my business
    anyway. I just want to get these things to work. It would take me far
    too long to do the necessary programming myself and it would probably
    still stink, but I would be able to make my employer put in some money
    for somebody to do it well. SSH Corp just seems like a logical choice.

    Atro Tossavainen (Mr.)               / The Institute of Biotechnology at
    Systems Analyst, Techno-Amish &     / the University of Helsinki, Finland,
    +358-9-19158939  UNIX Dinosaur     / employs me, but my opinions are my own.
    < URL : http : / / www . iki . fi / atro . tossavainen / >
    File attachments NOT welcome unless agreed to beforehand.

    Relevant Pages

    • Re: SSH / afs question
      ... > I am using cygwin ssh to log into a linux cluster that uses afs as the ... > file system. ... The problem starts when I try to use RSA authentication. ...
    • Re: [URG] SSH & PAM
      ... Sensei wrote: ... >> What version of SSH? ... >> the behavior you'd expect if myuser doesn't have a valid AFS token. ... Good judgement comes with experience. ...
    • [SLE] afs integrated login
      ... when i try to ssh anillal@laila it logs in but giving an error ... AFS Password: ... "There is an appointed time for everything. ... Add photos, events, holidays, whatever. ...
    • SSH / afs question
      ... Everything works fine as long as I use password authentication. ... I am neither an ssh nor an afs expert so I have no idea if this ...