[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 2 Nov 2006 06:29:50 -0500 (EST)
On Thu, 2 Nov 2006, Simon Wilkinson wrote:
>
> On 1 Nov 2006, at 23:53, Jeffrey Hutzelman wrote:
>
> >
> > The PAM module that ships with OpenAFS does this. However, rather
> > than reusing whatever password the user most recently typed, it
> > uses the same password with which the auth module successfully
> > obtained a token. This is entirely reasonable, because PAM does
> > not call the setcred methods of modules whose authenticate method
> > did not succeed.
>
> OpenSSH (at least) can call setcred without calling authenticate when
> setting up users who have not been authenticated via PAM
> (for example, those using GSSAPI or public key authentication). Of
> course, the pam_afs module won't work at all in these circumstances,
> as these users never enter a password.
True. However, IIRC at least some versions of PAM will try very hard to
call individual modules' setcred methods in the same order in which the
authenticate methods were called, including not calling a module at all in
the setcred phase if it was not called in the auth phase. Too bad I can't
remember which one.