[OpenAFS] Making screensaver updating token on solaris

Charles Clancy security@xauth.net
Mon, 4 Mar 2002 07:21:20 -0600 (CST)

> Thank's for the xnlock tip but I did not find a source code I was able to compile.
> Also the software seems to be very old. Thank's too for the xlockmore tip but
> I prefer a screensaver with pam support. Therefore I tried to run xscreensaver
> but unfortunatelly a normall user is not authenticated. Here are some details:
> 1) I compiled xscreensaver with the following configuration:
>         ./configure --prefix=/usr/pack/xscreensaver-4.01-ph --with-pam --with-kerberos
> --with-motif --with-jpeg

There's probably no reason to include --with-kerberos.  It can only
complicate things.  Also, the last version I played with was 3.25.

> 2) The pam.conf entries are:
>         xscreensaver auth    sufficient /usr/lib/security/pam_afs.so.1 try_first_pass
> ignore_root setenv_password_expires debug
>         xscreensaver auth    required   /usr/lib/security/pam_unix.so.1 debug
>         xscreensaver auth    required   /usr/lib/security/pam_dial_auth.so.1
>         xscreensaver account sufficient /usr/lib/security/pam_afs.so.1 try_first_pass
> ignore_root debug
>         xscreensaver account required   /usr/lib/security/pam_unix.so.1 debug
>     These entries are identical to the ssh entries (ssh works fine) only "sshd" replaced
> by "xscreensaver"

I've used the following settings:

xscreensaver auth optional /usr/lib/security/pam_unix.so.1
xscreensaver auth optional /usr/lib/security/pam_afs.so.1 use_first_pass ignore_root

With Solaris PAM, you can have both modules set as "optional", and it
won't let users through unless one of the two is successful.  This is NOT
the case with Linux PAM.

> 3) Running xscreensaver with the "-verbose" flag I get:
>         xscreensaver: 10:32:04: pam_start ("xscreensaver", "huesser", ...) ==> 0 (Success)
>         xscreensaver: 10:32:04:   pam_set_item (p, PAM_TTY, ":0.0") ==> 0 (Success)
>         xscreensaver: 10:32:04:     PAM ECHO_OFF("AFS Password: ") ==> password
>         xscreensaver: 10:32:04:     PAM ECHO_OFF("System Password: ") ==> password
>         xscreensaver: 10:32:04:   pam_authenticate (...) ==> 9 (Authentication failed)
>         xscreensaver: 10:32:04:   pam_set_item(p, PAM_USER, "root") ==> 0 (Success)
>         xscreensaver: 10:32:04:     PAM ECHO_OFF("Password: ") ==> password
>         xscreensaver: 10:32:04:   pam_authenticate (...) ==> 9 (Authentication failed)
>         xscreensaver: 10:32:04: pam_end (...) ==> 0 (Success)
>         xscreensaver: 10:32:04: password incorrect!

Looks like it's trying first to authenticate your AFS user, and then tries
to authenticate the root user.  Both failed.

> 4) Looking at the logfiles on the afs server I observe that the client does not tries
>      to conntact the server (no entries for "huesser" are found).
> 5) /usr/lib/security/pam_afs.so.1 is opened by xscreenserver while I am typing in
>      my password (unfortunatelly with no effect).
> Does somebody run xscreensaver on Solaris and how was it compiled ?

I've used xscreensaver on Solaris, working with AFS, for years.  It's
amazing how well the OpenGL screensavers run on an Expert 3D frame buffer
in a quad-processor Ultra 80 with a gig of RAM.

Try the PAM config I listed above.  If that fails, try an older version of
xscreensaver.  Like I said, I got version 3.25 working.

t. charles clancy <> tclancy@uiuc.edu <>  www.uiuc.edu/~tclancy
cryptography & information protection <> electrical engineering
       coordinated science laboratory <> university of illinois