[OpenAFS-devel] OPenAFS and OpenSSH-3.8
Douglas E. Engert
deengert@anl.gov
Tue, 02 Mar 2004 06:35:38 -0600
Derek Atkins wrote:
>
> "Douglas E. Engert" <deengert@anl.gov> writes:
>
> >> (2) PAM could be called when GSSAPI is used for authentication.
> >> A PAM session routine could do the setpag, as long as the PAM
> >> routine is run from the correct process.
>
> IMHO this seems like the best solution... Continue to use the PAM
> "session" modules even when using GSSAPI authentication.
>
> > That might help. But it does not help with the gssapi delegated credentials,
> > as the kafs is expecting s->authctxt->krb5_ctx to be the Kerberos
> > context. Its not in the gssapi case.
>
> Why doesn't it help?
Because when the GSSAPI is used, the delegated credential is not
in s->authctxt->krb5_ctx SO the current kafs does not work with a
delegated credential. But in all cases the credentials are in the cache,
so a program like aklog called at this point can use the KRB5CCNAME.
>
> > But both the GSSAPI delegated creds or the credentials obtained via user/password
> > have been written to the cache, and the ENV KRB5CCNAME has been set.
> > Thats what running aklog or afslog works.
>
> Exactly.. Running a pam session module (that is itself a shared
> library) can perform the setpag for you. This seems to solve your
> problem without adding a direct dlopen() to ssh.
>
> -derek
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444