[OpenAFS] aklog and PAM for Solaris
Douglas E. Engert
deengert@anl.gov
Mon, 22 Aug 2005 09:50:04 -0500
This is a multi-part message in MIME format.
--------------080103040301010403090608
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
John Tang Boyland wrote:
> I've been able to transition to using Kerberos V with the help
> of people on this list and Ken's migration kit (thanks!). I put some
> notes in the Wiki to fill in some gaps.
>
> I notice that openafs-1.3.87 includes aklog (good!) but it seems to be
> missing a PAM module that can be used with krb5. The man page
> pam_afs.5 says one should use pam_krb5 instead of pam_afs but of
> course, pam_krb5 doesn't get AFS tokens. Because of the way dtlogin
> works on Solaris, you need to get tokens before the .profile/.cshrc is
> sourced. A PAM module seems to be the right thing. There are old
> notes talking about pam_aklog (on Martin Schultz's old AFS-Krb5 web
> page that is only available in Google caches) including about
> T. Clancy's pam_aklog with a dead URL.
>
> (1) How do other sites handle this? Is pam_aklog passe ?
We are uisng the Solaris 10 provided pam_krb5, and Solaris provided
Kerberos which knows nothing about AFS.
We have added an additional pam_afs2 that is called after the pam_krb5
has sorted the tickets and set KRB5CCNAME in the pam_env. pam_afs2 then
fork/exec of gssklog. It could just as easily fork/exec the aklog from
1.3.87 which is on my list of thing to try. Note that pam_afs2 has
no Kerberos or AFS code, it just passes the pam_env with the KRB5CCNAME
to tha gssklog or aklog.
The above works with Solaris 10's version of SSHD, dtlogin, login, xlock
ad xscreensaver. With xlock and xscrensver the tickets and tokens are
refresehed. See attached pam.conf
Solaris 10's sshd has some problems with trying to use the default
ticket cache for a user, so we went back to using session based
credentials where each session has its own ticket cache pointed
at by KRB5CCNAME. To force the SSHD to do this, we added a
pam_krb5_ccache that calls pam_put_env to preset the KRB5CCNAME
to be used by the SSHD, thus going back to session based credentials.
(On Solaris 9 we are are using a version of Frank Cusack's pam_krb5
and pam_afs2 in some cases.)
> (2) If not, how can I get it for Solaris ?
> (2b) Is there some reason why it isn't integrated with
> aklog in the src tree ? (or in the PAM directory.)
I believe that the pam_krb5 and pam_afs* should not be integrated,
on any system, as (I have said in the past.) Having them seperate allows
one to use the vendor's pam_krb5.
> (3) Can we get some documentation/help from this from Openafs.org ?
> There are many places that ancourage one to use krb5 instead
> of AFS kaserver, but one's left scrounging around in unofficial
> RPM's off random websites to get something to work with Solaris.
If anyone is interested, Here is one of those random sites:
ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.3.tar
ftp://achilles.ctd.anl.gov/pup/DEE/pam_krb5_ccache-0.1.tar
ftp://achllles.ctd.anl.gov/pub/DEE/gssklog-0.11.tar
>
> Thanks!
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--------------080103040301010403090608
Content-Type: text/plain;
name="pam.conf.sun4x_510"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pam.conf.sun4x_510"
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required /krb5/lib/pam_afs2.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
krsh auth required /krb5/lib/pam_afs2.so.1
#krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
#DEE leave unmodified till the pam.conf and pam_afs2 are stable
#DEE leaves us a way on to machine
# But this allows password login
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# DEE from pam_krb5_man pages:
#DEE smartcard failed, so skip it for now
#dtlogin auth requisite pam_smartcard.so.1
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_cred.so.1
dtlogin auth optional pam_krb5.so.1
dtlogin auth required /krb5/lib/pam_afs2.so.1
# allows password login
dtlogin auth optional pam_unix_auth.so.1
#
# dtsession - lock/unlock screen, refresh creds and AFS token
#
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth optional pam_krb5.so.1
dtsession auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
dtsession auth optional pam_unix_auth.so.1
#
# xlock
#
xlock auth requisite pam_authtok_get.so.1
xlock auth required pam_dhkeys.so.1
xlock auth optional pam_krb5.so.1
xlock auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
xlock auth optional pam_unix_auth.so.1
#
# xscreensaver used by gnome or CDE
#
xscreensaver auth requisite pam_authtok_get.so.1
xscreensaver auth required pam_dhkeys.so.1
xscreensaver auth optional pam_krb5.so.1
xscreensaver auth required /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
xscreensaver auth optional pam_unix_auth.so.1
#
#
# sshd - keyboard interactive uses all PAM exits, but
# PAM session is called when GSSAPI delegation or
# Kerberos password used, so get AFS token in all three cases.
# We want a session type cache, so with ANL PAM
# pass in ccache= to account routine
# RedHat PAM uses session caches already
#
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth required pam_krb5.so.1
# allows login with local password
sshd-kbdint auth optional pam_unix_auth.so.1
sshd-kdbint account requisite pam_roles.so.1
sshd-kdbint account required pam_unix_account.so.1
sshd-kdbint account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_pw_%u_%p
sshd-kdbint session required pam_unix_session.so.1
sshd-kdbint session required /krb5/lib/pam_afs2.so.1
# Used by GSS, but ssh has bug about saving creds, so we use session based creds.
sshd-gssapi account requisite pam_roles.so.1
sshd-gssapi account required pam_unix_account.so.1
sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_%u_%p
sshd-gssapi session required pam_unix_session.so.1
sshd-gssapi session required /krb5/lib/pam_afs2.so.1
sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 clean
--------------080103040301010403090608--