[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

Russ Allbery rra@stanford.edu
Fri, 03 Nov 2006 08:34:46 -0800


Douglas E Engert <deengert@anl.gov> writes:

> If it was integrated into the source, I would expect to use the
> lsetpag, and glue source and header files to be able to get a PAG.

You can't use lsetpag in a PAM module right now.  There is no shared
library that provides it.  I think the consensus was that this wasn't the
PAG interface we really wanted to put more work into; the kafs interface
is better.

> I would rather avoid the kafs interface and use the external aklog if at
> all possible. It avoids bringing in any additional AFS libs and their
> dependencies into an application that calls PAM thus avoiding clashes
> and keeping it simple.

I believe the kafs interface is the correct long-term approach for most
sites, and therefore want to work on a PAM module that uses it, but it
will be an optional compile-time configuration on Linux at least since I
need something that works on Linux with OpenAFS right now and libkopenafs
is an OpenAFS 1.6 thing.  Once libkopenafs shows up, you'll have what you
want for the time being since libkopenafs will be a stand-alone shared
library that only exposes the k_hasafs, k_setpag, k_pioctl, and k_unlog
interfaces; the PAM module built against libkopenafs (or on Linux without
any supporting libraries) will not have any Kerberos dependencies and will
always use an external aklog.

Eventually, I would like to see aklog become a library that provides the
rest of the kafs interface, but when we do that, we can try to ensure that
people who want to avoid Kerberos dependencies can continue to do so.
Maybe rather than integrating those functions into libkopenafs, we'll add
a new library or something.  That bridge is a bit off into the future,
though, so we can worry about crossing it later.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>