[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos andMITKerberos

Douglas E. Engert deengert@anl.gov
Mon, 26 Jan 2004 15:02:54 -0600 

Jeffrey Hutzelman wrote:
> 
> On Monday, January 26, 2004 12:59:56 -0600 "Douglas E. Engert"
> <deengert@anl.gov> wrote:
> 
> > Yes, ak5log or gssklog. Note the -setpag, when it works, is nice
> > as this sets the PAG in the parent processes so makes it even easier
> > to get the OpenAFS dependiencs out of the caller.
> 
> Except this works only up exactly one level.  The OpenSSH folks will
> inevitably end up calling this code from some process which is not in the
> inheritance chain for the user's shell, leaving us right where we are today
> with PAM.  Even if they don't do it today, the restriction is obscure and
> will not be well known to people working on OpenSSH, so there is a good
> chance that it will be inadvertently broken later.

Well the PAG needs to be set. The code with the kafs sets it in the current
process, which is the process I would have fork and exec aklog, so if they
move the code in either case the PAG will be wrong.  

> 
> Worse, there is a good chance that whatever PAG mechanism we end up with on
> Linux 2.6 will not support setpag-in-parent at all.  So it would be wise to
> avoid introducing new dependencies on it, especially in other people's code.

OK. The situation I would like to avoid is vendors packaging OpenSSH executables
that don't have any hooks in them to set the PAG or get a token, which is the 
case today. The OpenSSH people are amenable to include some code for AFS, but 
it is #ifdefed. I would like to see them include code that can run on a system
with our without AFS and not require AFS headers and libs to build and would 
always be available in the executable. It makes their life easier, and so make 
our life easier, and promotes OpenAFS.  
 
If the PAG on Linux is defined by Linux code, and support could always be 
compiled in then on Linux at least the -setpag would not be needed, as there is 
a better way. That I could se #ifdef depending on OS.  The aklog, afslog or 
whatever could actually test if a PAG needs to be obtained. 

Is the PAG mechanisum you expect to endup with on Linux going to be a standard
feature, i.e. always in the kernel? If not and the setpag of parent is not
available either, that could be a step backward.



> 
> -- Jeff

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444