[OpenAFS-devel] Simplified integration of OpenAFS, Kerberos SSH and PAM (again)

[Russ Allbery]

Douglas E Engert <deengert@anl.gov> writes:

> With all the problems with the integration of Krb5, AFS, PAM,
> and OpenSSH. I would like to bring forth *again* the concepts of
> separating out the pam_krb5 from the pam_afs2 from the aklog.

> The basic concepts are:

>   o Use the vendor's pam_krb5 without any AFS code.

>   o Provide a separate pam_afs that gets a PAG using syscall, or
>     /proc and forks execs a separate program to get the AFS token
>     passing KRB5CCNAME= from the pam_getenv to the program.
>     The pam_afs2 has no AFS or Kerberos libs dependencies.

>   o The separate program is your favorite aklog with whatever
>     version of Kerberos and AFS you want to use.

This is already what Debian does, except that #2 isn't handled very well
because there isn't a good way to call setpag right now that still works
when PIC code is required, doesn't depend on shared libraries with
possibly unstable ABIs, doesn't break when threading is required, etc.

Personally, I'd love to see AFS provide a shared library that contains
nothing but setpag and possibly the "stuff the token into the kernel" call
that aklog needs to use, since that could have an insanely stable ABI.  I
think that would make coming up with better solutions to a lot of these
problems far easier.

Short of that, getting PIC libraries can approximate this and is useful
for other things besides PAM (like the AFS Perl module).

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>