[OpenAFS-devel] Re: [OpenAFS] afs_pam2 - A simplier approach to AFS integration during login

[Russ Allbery]

Moved to openafs-devel.

Derrick J Brashear <shadow@dementia.org> writes:
> On Wed, 13 Apr 2005, Douglas E. Engert wrote:

>> pam_afs2 in not doing authentication, it is there to get a PAG and
>> token using the credentials saved by a previous pam or by the
>> application like OpenSSH.

> I wrote that in like 1997, it was called pam_afs, used the kerberos
> tickets gotten by pam_krb4, and linked libraries instead of forking;-)

The difficulty with doing this right now is that PAM modules need to be
PIC and right now none of the AFS libraries are built PIC, so it's hard to
get at setpag.  Also, PAM modules in practice need to be thread-safe, so
they need to be built against the new pthread-aware AFS library API rather
than the old one (although this mainly affects the PAM modules bundled
with OpenAFS).

I was thinking about grabbing a copy of the latest 1.3.x source and
working on this, unless there's something else I should start from.  Is
someone else already working on it?

There are lots of ways to do this, but the best way would be to import
libtool and build the new AFS libraries with it (not worrying about the
old ones for the first pass).  This means that anything built against
those libraries would also need to be built and installed by libtool.
What are the opinions around these parts on libtool?

I can probably pull this off; I've converted a large package with multiple
libraries and its own "special" build system to libtool before (INN).  Let
me know if it sounds like a reasonable idea.

(And yeah, I still owe y'all some man pages, but getting working PAM
modules is a more urgent Stanford priority and I've already done a chunk
of the work for my own purposes.)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>