[OpenAFS-devel] Simplified integration of OpenAFS, Kerberos SSH and PAM (again)

Douglas E. Engert deengert@anl.gov
Wed, 11 May 2005 07:32:46 -0500 

André Balsa wrote:

> On Tuesday 10 May 2005 23:13, Douglas E. Engert wrote:
> 
>>With all the problems with the integration of Krb5, AFS, PAM,
>>and OpenSSH. I would like to bring forth *again* the concepts of
>>separating out the pam_krb5 from the pam_afs2 from the aklog.
>>
>>The basic concepts are:
>>
>>  o Use the vendor's pam_krb5 without any AFS code.
>>
>>  o Provide a separate pam_afs that gets a PAG using syscall, or
>>    /proc and forks execs a separate program to get the AFS token
>>    passing KRB5CCNAME= from the pam_getenv to the program.
>>    The pam_afs2 has no AFS or Kerberos libs dependencies.
>>
>>  o The separate program is your favorite aklog with whatever
>>    version of Kerberos and AFS you want to use.
> 
> 
> Hello,
> 
> This is just a short comment on the above.
> 
> The idea sounds good to me. I wish we could have an open discussion of the 
> above, without any prejudice in favor or against the proposed changes.
> 
> I also understand this is a suggestion for the direction of future 
> developments. Who would be responsible for implementing these changes and 
> maintaining the corresponding code is another matter, as I believe the 
> present OpenAFS team already has a high enough workload.

I would suggest the OpenAFS needs to maintain the pam_afs2 code and
the gafstoken routine. What has happened without this is some Linux
vendors have developed pam modules for krb5, or krb5+afs, but not all
vendors do this, thus leaving it up to the sysadmin.

OpenAFS already has a aklog, and I have the gssklog for systems
that don't have Kerberos exposed, and I have said it could be donated to
OpenAFS.

If OpenAFS can provide the kernel extensions, they certainly can provide
the simple PAM interface too.

There is not a lot of code here, two source files  pam_afs2.c has 324 lines
of code, and the gafstoken.c has 412 lines.



> 
> Thanks, regards,

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444