[OpenAFS] afs_pam2 - A simplier approach to AFS integration during login

Douglas E. Engert deengert@anl.gov
Wed, 13 Apr 2005 22:27:26 -0500

Franco "Sensei" wrote:
> Douglas E. Engert wrote:
>> As we start to use vendor provided Kerberos, OpenSSH and PAM modules,
>> AFS integration into the login process becomes more difficult, as
>> some vendors do not provide OpenAFS. We have no problems with installing
>> OpenAFS separately, but would like to not have to replace the vendor's
>> pam_krb5 or sshd modules that combine Kerberos and AFS.
> Of course I would go with things as vanilla as possible.
>> Kerberos and OpenSSH are much more wildly known and accepted
>> by OS vendors and sysadmins then OpenAFS. Almost all vendors now support
>> Kerberos and SSH, but there are a lot of vendors that do not support
>> OpenAFS. And many sysadmins are reluctant to replace the PAM
>> and SSH to support OpenAFS versions. They may be willing to add
>> but not replace.
> More or less...
>> I would like to contribute to OpenAFS two source modules, pam_afs2.c
>> and gafstoken.c.  These can be found today in two separate build
>> packages:
>>          ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
>>      ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar
> Ok.
>> pam_afs2.c is a PAM routine that can be called after a pam_krb5
>> routine has been called. All pam_afs2.c requires is that the pam_krb5
>> routine has stored the credentials and done pam_putenv of the
>> pam_afs2.c will then call the gafstoken routine that will
>> get a PAG using syscalls, then fork/exec your favorite aklog,
>> ak5log, gssklog, or afslog to actually get the token.
> Basically, you're doing the same thing as   pam_openafs_session.so   in 
> debian.

Could be, but its for more then debian. I would like to see OpenAFS
provide the PAM routine that would run in any system.

>> Since pam_afs2.c and gafstoken.c have no AFS or Kerberos code
>> in them directly (other then the syscalls to get a PAG), this helps
>> to simplify the integration and avoids Kerberos lib name clashes and
>> eliminates 32 vs 64 bit version problems and allows for
>> integration at the pam.conf level.
> If pam_afs2.so at session level like pam_openafs_session.so? Where is it 
> called?

OpenSSH for example can call PAM session, after it has authenticated
via gssapi-with-mic, and received a delegagted credential. It will
do a pam_setenv(KRB5CCNAME=...) The pam_afs2 can pass this to the
aklog to use to get K5 tickets.

It is also called if user/password was used with Kerberos or Kerberos
via pam_krb5. They both save the credentials andset KRB5CCNAME.

Note that OpenSSH-3.9p1 needs the patch from bug #918. This was fixed
4.0, but I have not tried 4.x yet.

>> I have been using these routines on Solaris 9 for almost 6 months
>> and AFS and Kerberos V5 work will with dtlogin, xscreesaver, xlock
>> and friends. Unlocking the screen will keep the same PAG, but get
>> a new Kerberos ticket and AFS token.
> That's good.
>> We have been using the MIT Kerberos on Solaris, but expect to
>> have a simple conversion to Solaris 10 using the Solaris Kerberos.
>> I have also done some testing on RedHat using their pam_krb5.o,
>> rather then the pam_krb5afs.o.
> I find better pam_krb5afs.so, but I didn't realize how to get pag before 
> enabling the shell (suse linux).

I have not tried this on Suse, but would expect it to work.
I wold not expect to see a pam_krb5afs.so on Solaris or HP.

>> pam_afs2 also work well with OpenSSH pam session support, to get
>> the PAG and token, with no OpenSSH mods required.
> It doesn't work for a SSO though. Am I right?

pam_afs2 in not doing authentication, it is there to get a PAG and token
using the credentials saved by a previous pam or by the application like

You can use Krb5 for the SSO, and pam_afs2 gets the token for access to
you home directory.

>> The two tar files listed above will configure to build the
>> pam routine and the gafstoken lib. They each have a README
>> file which goes into more detail. A pam.conf file for Solaris is
>> also included in the tar file.
> I'll give it a chanche, but, did you try something for AIX?

We used to have AIX, and these is some PAG code in the gafstoken
for AIX that may still work. Let me know if it needs some changes or not.


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444