(Copied from an old web page. Needs clean up.)
SSH and Shared AccountsPreviously SLAC used a locally customized version of SSH that supported forwarding AFS tokens during login. Unfortunately, the latest versions of OpenSSH make maintaining these set of patches and keeping our software current very difficult. We are switching to a new version of ssh that supports Kerberos TGT forwarding and using this forwarded ticket to obtain an AFS token at login. This will make many things much easier and simpler in the future, but leaves us with a difficult transition period as the behavior of one of the most commonly used tools changes. Accessing Shared AccountsThe new version will require you to use ssh version 2 to take advantage of the TGT forwarding and automatically get an afs token when logging into a shared access or role account. Version 1 rsa key based connections will continue to be supported until sometime in December 2007, but only a GSSAPI or kerberos login will get you an automatic AFS token on login. Due to DOE computer security requirements ssh version 1 will have to be phased out by 2008. |
Using SSH to access a shared account
...