[OpenAFS] kerberos + pam

Douglas E. Engert deengert@anl.gov
Fri, 15 Oct 2004 13:39:44 -0500

Sensei wrote:

> On Thu, 2004-10-14 at 19:08, Maurizio Santini wrote:
>>1) When I use the module provided by kerberos package (pam_krb5afs.so) I
>>2) If I use the same module provided by
>>3) If I use the module pam_afs.krb.so provided by the openafs rpms I get
> I suppose that
> - you're not running kaserver
> - you have a kdc
> - you authenticate over k5
> - you want to get a token along with a ticket
> I'd suggest in trying pam_openafs_session from debian stable (simply
> aklog). None of the previous solutions worked for me. The third solution
> works only if you have a k4 ticket. 

As you note this is quite complicated. See my note of 9/17/4
"[OpenAFS] The AFS + PAM + SSH  Nightmare" If you are interested,
the first version of the gafstoken and pam_afs2 are available.


The gafstoken is a single routine that will issue a syscall to get a PAG
then fork/exec your favorite aklog to get a token. gafstoken has
no AFS or Kerberos dependiencies (other then knowing the PAG syscall)

the pam_afs2 is a pam routine designed to work with some pam_krb5 or
OPenSSH calling PAM. pam_afs2 takes the pam_env_list and passes this
to gafstoken, so it is accessable to your aklog.

pam_afs2 has no kerberos of AFS code or dependencies either.
It is counting on the pam_krb5 or OpenSSH to saved the ticket cache and
have called pam_put_env with KRB5CCNAME. pam_krb5 can be run from the
pam_sm_authenticate, pam_sm_set_cred, or pam_sm_open_session depending
on how the calling application uses PAM.

These routines are new but do work well with Solaris so far. They should
work on other systems as well. I am looking for feedback.



  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444