[OpenAFS-devel] Simplified integration of OpenAFS, Kerberos SSH and PAM (again)

Douglas E. Engert deengert@anl.gov
Wed, 11 May 2005 07:52:40 -0500


Russ Allbery wrote:

> Douglas E Engert <deengert@anl.gov> writes:
> 
> 
>>With all the problems with the integration of Krb5, AFS, PAM,
>>and OpenSSH. I would like to bring forth *again* the concepts of
>>separating out the pam_krb5 from the pam_afs2 from the aklog.
> 
> 
>>The basic concepts are:
> 
> 
>>  o Use the vendor's pam_krb5 without any AFS code.
> 
> 
>>  o Provide a separate pam_afs that gets a PAG using syscall, or
>>    /proc and forks execs a separate program to get the AFS token
>>    passing KRB5CCNAME= from the pam_getenv to the program.
>>    The pam_afs2 has no AFS or Kerberos libs dependencies.
> 
> 
>>  o The separate program is your favorite aklog with whatever
>>    version of Kerberos and AFS you want to use.
> 
> 
> This is already what Debian does, 

Thats part of the argument, its a single vendor's solution. What about the
other vendors, including SUN, HP, IBM, SGI, MAC and other Linux.

> except that #2 isn't handled very well
> because there isn't a good way to call setpag right now that still works
> when PIC code is required, doesn't depend on shared libraries with
> possibly unstable ABIs, doesn't break when threading is required, etc.

That is the intent of gafstokens. It uses syscall or on linux the /proc file
to set the PAG. It uses no AFS headers (but could) or libs, is PIC code, and
protects itself by trapping some signals. It fork/execs an aklog like program
to get the tokens. It compiles to libgafstoken.so

> 
> Personally, I'd love to see AFS provide a shared library that contains
> nothing but setpag and possibly the "stuff the token into the kernel" call
> that aklog needs to use, since that could have an insanely stable ABI.  I
> think that would make coming up with better solutions to a lot of these
> problems far easier.

I agree, For the PAG it could even be a macro, as it really comes
down to a syscall.

I would rather see two seperate libs, as the PAG needs to be obtained from
the session leader, which usually means it has to be called from some
system deamon, like sshd, or dtlogin,or gdm usually from PAM.

The tokens on the other hand can be obtained from a child process like
aklog.










> 
> Short of that, getting PIC libraries can approximate this and is useful
> for other things besides PAM (like the AFS Perl module).
> 

  libgafstoken.so

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444