SSH to Andrew File System (AFS) Without Credentials
This is the first part of a 2-part guide on how you can SSH to the Andrew File System without keying in your credentails, as well as mounting the Andrew File System (AFS) locally on your Linux machine. This is highly useful if you are a student or faculty member from one of the many universities around the world whose computing systems runs on AFS, such as CMU, MIT, Stanford, Caltech, to list a few. If you have long passwords and wish to open multiple SSH sessions (although you probably would want to check tmux out), this will come in useful. By mounting AFS locally, you no longer have to SSH in to edit, manage, or copy your files; everything can be done natively in your file explorer or via the command line.
The Andrew File System
The AFS is a distributed file system that was developed in Carnegie Mellon University in the early 1980s, one of the first of its kind. Named after Andrew Carnegie and Andrew Mellon, the founders of the present-day Carnegie Mellon University, AFS was designed for scale, and introduced novel but now industry-standard techniques such as edge caching on the client to reduce bandwidth consumption by a single client. A quirk of AFS that may surprise people familiar with Unix-like operating system environments is that AFS introduces its own AFS File Permissions that allows for more fine-grained access controls compared to traditional Unix file permission bits, which you can read more about here.
The following guide is tailored for Ubuntu as that is what most people would use, but I personally got it working on my Arch Linux machine and the steps should be similar for other Linux distributions as well, as well as OSX, but I have not tested this personally. Also, the user input for the cells and realms used is customized for CMU. Replace it accordingly with the information of your own school otherwise.
Setting up Kerberos
Kerberos is what AFS uses for authentication. Before we mount AFS, we must ensure that we are authenticated with a Kerberos ticket with the server. To install the Kerberos client:
After installing Kerberos, you are now ready to authenticate.
You can run
klist to check the status of your tickets. Take note of their expiry date; in the case of CMU, it is valid for 24 hours and so you need to re-authenticate with Kerberos every 24 hours.
Setting up GSSAPI Authentication
Kerberos authentication requires GSSAPI (Generic Security Services Application Programming Interface). To set this up, in your
~/.ssh/config file (create it if it does not exist), add
Trying it out
You should now be able to SSH to AFS without entering your credentials!
This concludes Part 1 of the tutorial. In Part 2 we will discuss how we can mount AFS locally with OpenAFS.