[OpenAFS-devel] Simplified integration of OpenAFS, Kerberos SSH and PAM (again)

Russ Allbery rra@stanford.edu
Fri, 13 May 2005 01:51:32 -0700


Douglas E Engert <deengert@anl.gov> writes:

> The basic concepts are:

>   o Provide a separate pam_afs that gets a PAG using syscall, or
>     /proc and forks execs a separate program to get the AFS token
>     passing KRB5CCNAME= from the pam_getenv to the program.
>     The pam_afs2 has no AFS or Kerberos libs dependencies.

[...]

> For more info see:

> ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
> ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar

I consider it very much not kosher to play with signal handlers inside a
PAM module.  I understand why you're doing that, but I think it's a lot
better to just say "don't use this PAM module if you don't have the AFS
kernel module loaded" in the documentation than mess with the signal
handlers of the calling process (which may be multithreaded, etc.).

Between that and not wanting to figure out what of this code should be
deleted once the code is integrated with the AFS source base and therefore
doesn't need its own idea of syscall numbers, etc., I started from scratch
rather than using this.

You should be able to use my shared library here if you want, though, by
just replacing lsetpagx in gafstoken with a call to lsetpag and linking
against libafssetpag.  (Although you'll need to keep the redirection for
AIX if you want it.)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>