[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
Simon Wilkinson
sxw@inf.ed.ac.uk
Thu, 2 Nov 2006 09:06:04 +0000
On 1 Nov 2006, at 23:53, Jeffrey Hutzelman wrote:
>
> The PAM module that ships with OpenAFS does this. However, rather
> than reusing whatever password the user most recently typed, it
> uses the same password with which the auth module successfully
> obtained a token. This is entirely reasonable, because PAM does
> not call the setcred methods of modules whose authenticate method
> did not succeed.
OpenSSH (at least) can call setcred without calling authenticate when
setting up users who have not been authenticated via PAM
(for example, those using GSSAPI or public key authentication). Of
course, the pam_afs module won't work at all in these circumstances,
as these users never enter a password.
Simon.