[OpenAFS] Krb5 integration with AFS

Derrick J Brashear shadow@dementia.org
Wed, 31 Dec 2003 01:33:02 -0500 (EST)


On Tue, 30 Dec 2003, John Tang Boyland wrote:

> ] >And the archive
> ] >of this list indicates you need lots of hairy things in
> ] >the krb5.conf in order to get PAM to work.
> ]
> ] Well, to quote Derrick Braesher, "PAM sucks".
>
> Well, I agree that PAM + krb5 is pretty scary currently.  But (as a
> user) I find PAM very convenient.  I like being able to use my AFS
> password for CDE login, and for telnet and for ftp and for ssh (modulo
> the PAG problem that has not been fixed to my knowledge).  It seems a
> whole lot better than the old specialized login binary.

The PAG problem, the inconsistent application support (maybe now they are
but initially sun was doing it different in every app, in some cases
blatantly wrong, like, calling close session right after open session, not
when you logged out later), the coarseness of the config syntax (want to
allow local passwords but only if kerberos fails, and to do afs if
kerberos succeeds? good luck.)

I also like using my Kerberos password for all those things: by typing it
one time, when I sit down, and having clever utilities which leverage
authentication, instead of typing my password 50 times while I'm sitting.
Hence my routine denigration of pubcookie: I typed my password. I'm not
typing it again. Thus, pubcookie falls in the category of "doesn't work"
because it shows me a password dialog, instead of the web page I asked
for. I *am* authenticated.

Less tangent: so this means you replace ftpd, telnetd, sshd, or you use a
vendor that provides GSSAPI-capable versions of such. So you need PAM for
CDE, and the other things you replaced with versions that aren't the same
tired BSD versions from 1985.