[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

[Jeffrey Hutzelman]

On Tuesday, October 31, 2006 09:01:07 AM -0600 "Douglas E. Engert" 
<deengert@anl.gov> wrote:

> Rather then having to modify ssh to swap the order of the
> calls to pam_setcred and pam_open_session, you could look at
> using one of the pam_afs module that will get the token and PAG
> during the pam_setcred. For example the pam_openafs_session.so
> module can be called from "auth" and it will get the token
> during pam_setcred.

The PAM module that ships with OpenAFS does this.  However, rather than 
reusing whatever password the user most recently typed, it uses the same 
password with which the auth module successfully obtained a token.  This is 
entirely reasonable, because PAM does not call the setcred methods of 
modules whose authenticate method did not succeed.

However, ssh runs the authenticate operation in a separate process, with no 
opportunity to communicate that password to the setcred method.  We call 
back into the PAM framework to set a module-specific data item, but then 
when we return, the process exits, taking our data with it.

The OpenAFS PAM module does nothing at all in pam_open_session, so the 
relative order of calls to setcred and open_session does not matter. 
However, the order in which they are called with respect to other 
operations may be relevant.