AFS support?

I would like to ask those of you who use AFS and any kind of Secure Shell for AFS logins:

• Are you still using SSH1 with Dug Song's obsolete patches?
• Are you using OpenSSH, which (to my knowledge) only supports AFS logins with SSH protocol version 1 (since the internal AFS support in OpenSSH is derived from Dug Song's SSH1 patches)?
• Do you have a solution for integrating SSH2 with AFS logins on any platform, one that does not involve PAM?

I'm asking all this because we would like to be able to move on to SSH2 but have an AFS environment with multiple platforms (Tru64, IRIX, Solaris, HP-UX, Linux), not all of which support PAM, but all of which need to have AFS login support, and all of which should ideally do it exactly the same way, i.e. internally in ssh.

• I've been talking to my friends at SSH corp about the possibility of them producing a proper AFS patch for SSH2 that wouldn't treat AFS as vanilla Kerberos IV, which would allow the login session access to information such as "days until password expiration". So far, it looks like it's not going to happen - more important things to do, apparently, insufficient interest in existing customer base, and a total lack of interest on IBM's behalf.

  Would you be willing to purchase such a patch if they wrote one and   it did the real thing?

  I know we would, but our site of far less than 100 UNIX machines   doesn't quite have the necessary momentum. If there were a number   of parties willing to pay for SSH to do this, the likelihood of the   patch being written would probably increase.

I am not affiliated with SSH Communications Security Corporation in any way other than that some of my friends work there. I am not even a stock owner. The University of Helsinki has no interest, financial or otherwise, in SSH Communications Security Corporation.

I also don't need any bitching about issues regarding free software or SSH licensing conditions. I don't care, and it's none of my business anyway. I just want to get these things to work. It would take me far too long to do the necessary programming myself and it would probably still stink, but I would be able to make my employer put in some money for somebody to do it well. SSH Corp just seems like a logical choice.

-- 
Atro Tossavainen (Mr.)               / The Institute of Biotechnology at
Systems Analyst, Techno-Amish &     / the University of Helsinki, Finland,
+358-9-19158939  UNIX Dinosaur     / employs me, but my opinions are my own.
< URL : http : / / www . iki . fi / atro . tossavainen / >

File attachments NOT welcome unless agreed to beforehand.