[OpenAFS-devel] OPenAFS and OpenSSH-3.8
Derek Atkins
derek@ihtfp.com
Mon, 01 Mar 2004 20:03:40 -0500
"Douglas E. Engert" <deengert@anl.gov> writes:
>> (2) PAM could be called when GSSAPI is used for authentication.
>> A PAM session routine could do the setpag, as long as the PAM
>> routine is run from the correct process.
IMHO this seems like the best solution... Continue to use the PAM
"session" modules even when using GSSAPI authentication.
> That might help. But it does not help with the gssapi delegated credentials,
> as the kafs is expecting s->authctxt->krb5_ctx to be the Kerberos
> context. Its not in the gssapi case.
Why doesn't it help?
> But both the GSSAPI delegated creds or the credentials obtained via user/password
> have been written to the cache, and the ENV KRB5CCNAME has been set.
> Thats what running aklog or afslog works.
Exactly.. Running a pam session module (that is itself a shared
library) can perform the setpag for you. This seems to solve your
problem without adding a direct dlopen() to ssh.
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant