[OpenAFS] PAGs aklog and PAM

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 13 Jun 2001 01:59:25 -0400 (EDT)

On Tue, 12 Jun 2001, Charles Clancy wrote:

> In looking at the aklog source, it looks like its PAG code used to do a
> setpag(), but now ktc_SetToken() takes care of that:
> from aklog_main.c:
>     /*
>      * The code that _used_ to be here called setpag().  When you think
>      * about this, doing this makes no sense!  setpag() allocates a PAG
>      * only for the current process, so the token installed would have
>      * not be usable in the parent!  Since ktc_SetToken() now takes a
>      * 4th argument to control whether or not we're going to allocate
>      * a PAG (and since when you do it _that_ way, it modifies the cred
>      * structure of your parent)), why don't we use that instead?
>      */
> Does anyone have any comments on ktc_SetToken()?  Would it be better to
> use that, instead of setpag()?

In aklog, yes.  In a PAM module, no.  ktc_SetToken stores a token in the
token cache.  One of its arguments is a set of flags, and one of those
flags means to create a new PAG to hold the token being set.  As the
comment above describes, when this mode is used, the new PAG is associated
not only with the process calling ktc_SetToken(), but also with the
_parent_ of that process.  So, running 'aklog -setpag' from a shell
changes the shell's PAG -- useful, but not what you'd normally expect in a
UNIX environment.

The right thing to do for PAM modules or anything else that is doing a
login-like operation is to first call setpag() to set a new pag, and then
use ktc_SetToken with the flags set to 0.  As Derrick mentions, there is a
library included with kth-krb4 and heimdal which hides the details of KTC
interactions.  There is also a standalone library which can be used with
other Kerberos implementations.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA