[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

[Russ Allbery]

Douglas E Engert <deengert@anl.gov> writes:

> Password? I thought we are talking K5, where the K5 ticket is obtained
> either via pam_krb5, or via delegated GSSAPI credential as sshd does, so
> AFS only needs the location of the ticket cache.

The thread started with a discussion of the pam_afs module in the current
source tree, which uses the kaserver.

> If I was to integrate pam_afs2 into the AFS source tree would it be
> considered for inclusion?

I looked at it extensively during the Hackathon and I don't think it's the
fully correct approach.  It's a step in the right direction, but I have a
similar start already that doesn't use a separate source of the AFS system
call layer.  I should have a similar module for testing before too long (a
few months at most).  See the design specification that I sent to
openafs-devel a few weeks back; basically, the goal is to standardize on
the kafs interface and write a PAM module that uses it with some fallbacks
as needed and support for an external aklog program if one must.

It's better than anything else we have right now, though, so I'm happy to
recommend it to people in the interim.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>