[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
Douglas E. Engert
deengert@anl.gov
Wed, 01 Nov 2006 09:44:17 -0600
Russ Allbery wrote:
> lamont <lamont@scriptkiddie.org> writes:
>
>
>>The pam_krb5afs in RedHat (I think RHEL4 or later) works around this issue
>>by introducing a use_shmem flag so that they can communicate between
>>processes.
>
>
> I think this is a ridiculously over-complex way of addressing the problem,
> but then I have that problem with most things in the Red Hat PAM module.
I agree. The krb5 and AFS should be in seperate pam modules. Thus the pam_krb5
is the same with or without AFS. The pam_afs* then relies on the cache having
been saved and the KRB5CCNAME having been set in the pam_env so the aklog
can find it.
>
> My K5 PAM module just uses a temporary disk ticket cache, which works just
> fine. You have to establish the user's final ticket cache (and tokens and
> PAG) in pam_setcred or pam_open_session, that's all.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444