[OpenAFS] The AFS + PAM + SSH Nightmare

Douglas E. Engert deengert@anl.gov
Fri, 17 Sep 2004 16:28:21 -0500

As a recent thread on the this list pointed out, there
are a lot of steps one must take to get AFS to work with
PAM and SSH. There are multiple versions of Kerberos to
contend with, as well as multiple versions of PAM routines,
that work with one or another versions of aklog, or afslogin.
These programs are distributed for some OSs but not all.

I have been working on some simplifications to make this
more transparent and acceptable so that vendors can
distribute precompiled code that will work with Kerberos
and AFS. It might even be different versions of Kerberos
used in the pam_krb5 as used in the aklog.

At the heart of these changes, is that the Kerberos ticket
cache has a common format across all versions of Kerberos,
and is pointed at via the KRB5CCNAME environment variable.
The cache is either created as a result of a daemon or PAM
routines creating it, or via GSSAPI delegation of

Many of the current PAM routines try to do both Kerberos
authentication and AFS PAG and token processing using the
open krb5_context form the authentication. This leads to
much of the confusion, especially with OpenSSH and privsep
and multiple processes.

I am proposing to break this up, and let the pam_krb5 do
the authentication, and after saving the cache let
aklog of afslogin (or whatever) acquire the token.

I now have a pam_afs2.so. It has no Kerberos or AFS
code. It can be called from pam_sm_authenticate, pam_sm_setcred
or pam_sm_open_session. (This is similar to the pam_afs_session
but is separate from and OS vendor.)   It calls one routine:

get_afs_token(char * external_program,
                 char ** env,
                 uid_t uid,
                 char * homedir,
                 int setpag);

which is in a separate library. This routine
has no Kerberos or AFS code or library dependencies,
but does have the sys_call numbers to get an AFS PAG.
If AFS is not installed, it will catch any sys call failures,
and return. It will fork/exec the external_program
(defaults to to libexec/get-afs-token which can be
a symlink to your favorite aklog) as user=uid, passing
it the env from pam_get_envlist, and the -p homedir

The intention would be OpenAFS could distribute a
version of get_afs_token that can be used without AFS
having to be installed on the system. OpenAFS would also
distribute the pam_afs2.

I have been testing this on Solaris 9 and OpenSSH-3.9
with MIT krb5-1.3.4, and using either a modified version
of Frank Cusack's pam_krb5, or the SourceForge
pam_krb5-1.3-rc7. So far this works with login, dtlogin,
and dtsession using console, CDE, Gnome, or straight X11.
With xlock and xscreensaver the tickets and token are
refreshed. Eventually I would like it to work with the Sun
SEAM and Sun pam_krb5.

The OpenSSH-3.9 with the two bug fixes, works without any other
mods. I also have mods to the krb5-1.3.4 krlogind, krshd,
ftpd, and telnetd to call get_afs_token as needed.

> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444