[OpenAFS] afs_pam2 - A simplier approach to AFS integration during login

Douglas E. Engert deengert@anl.gov
Wed, 13 Apr 2005 22:27:26 -0500


Franco "Sensei" wrote:
> Douglas E. Engert wrote:
> 
>> As we start to use vendor provided Kerberos, OpenSSH and PAM modules,
>> AFS integration into the login process becomes more difficult, as
>> some vendors do not provide OpenAFS. We have no problems with installing
>> OpenAFS separately, but would like to not have to replace the vendor's
>> pam_krb5 or sshd modules that combine Kerberos and AFS.
> 
> 
> Of course I would go with things as vanilla as possible.
> 
>> Kerberos and OpenSSH are much more wildly known and accepted
>> by OS vendors and sysadmins then OpenAFS. Almost all vendors now support
>> Kerberos and SSH, but there are a lot of vendors that do not support
>> OpenAFS. And many sysadmins are reluctant to replace the PAM
>> and SSH to support OpenAFS versions. They may be willing to add
>> but not replace.
> 
> 
> More or less...
> 
>> I would like to contribute to OpenAFS two source modules, pam_afs2.c
>> and gafstoken.c.  These can be found today in two separate build
>> packages:
>>
>>          ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
>>      ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar
> 
> 
> Ok.
> 
>> pam_afs2.c is a PAM routine that can be called after a pam_krb5
>> routine has been called. All pam_afs2.c requires is that the pam_krb5
>> routine has stored the credentials and done pam_putenv of the
>> KRB5CCNAME.
>>
>> pam_afs2.c will then call the gafstoken routine that will
>> get a PAG using syscalls, then fork/exec your favorite aklog,
>> ak5log, gssklog, or afslog to actually get the token.
> 
> 
> Basically, you're doing the same thing as   pam_openafs_session.so   in 
> debian.

Could be, but its for more then debian. I would like to see OpenAFS
provide the PAM routine that would run in any system.

> 
>> Since pam_afs2.c and gafstoken.c have no AFS or Kerberos code
>> in them directly (other then the syscalls to get a PAG), this helps
>> to simplify the integration and avoids Kerberos lib name clashes and
>> eliminates 32 vs 64 bit version problems and allows for
>> integration at the pam.conf level.
> 
> 
> If pam_afs2.so at session level like pam_openafs_session.so? Where is it 
> called?

OpenSSH for example can call PAM session, after it has authenticated
via gssapi-with-mic, and received a delegagted credential. It will
do a pam_setenv(KRB5CCNAME=...) The pam_afs2 can pass this to the
aklog to use to get K5 tickets.

It is also called if user/password was used with Kerberos or Kerberos
via pam_krb5. They both save the credentials andset KRB5CCNAME.


Note that OpenSSH-3.9p1 needs the patch from bug #918. This was fixed
4.0, but I have not tried 4.x yet.

> 
>> I have been using these routines on Solaris 9 for almost 6 months
>> and AFS and Kerberos V5 work will with dtlogin, xscreesaver, xlock
>> and friends. Unlocking the screen will keep the same PAG, but get
>> a new Kerberos ticket and AFS token.
> 
> 
> That's good.
> 
>> We have been using the MIT Kerberos on Solaris, but expect to
>> have a simple conversion to Solaris 10 using the Solaris Kerberos.
>>
>> I have also done some testing on RedHat using their pam_krb5.o,
>> rather then the pam_krb5afs.o.
> 
> 
> I find better pam_krb5afs.so, but I didn't realize how to get pag before 
> enabling the shell (suse linux).

I have not tried this on Suse, but would expect it to work.
I wold not expect to see a pam_krb5afs.so on Solaris or HP.

> 
>> pam_afs2 also work well with OpenSSH pam session support, to get
>> the PAG and token, with no OpenSSH mods required.
> 
> 
> It doesn't work for a SSO though. Am I right?

pam_afs2 in not doing authentication, it is there to get a PAG and token
using the credentials saved by a previous pam or by the application like
OpenSSH.

You can use Krb5 for the SSO, and pam_afs2 gets the token for access to
you home directory.

> 
>> The two tar files listed above will configure to build the
>> pam routine and the gafstoken lib. They each have a README
>> file which goes into more detail. A pam.conf file for Solaris is
>> also included in the tar file.
> 
> 
> I'll give it a chanche, but, did you try something for AIX?
> 

We used to have AIX, and these is some PAG code in the gafstoken
for AIX that may still work. Let me know if it needs some changes or not.


-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444