[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
Douglas E. Engert
deengert@anl.gov
Tue, 31 Oct 2006 10:51:51 -0600
Russ Allbery wrote:
> Douglas E Engert <deengert@anl.gov> writes:
>
>
>>Rather then having to modify ssh to swap the order of the
>>calls to pam_setcred and pam_open_session, you could look at
>>using one of the pam_afs module that will get the token and PAG
>>during the pam_setcred. For example the pam_openafs_session.so
>>module can be called from "auth" and it will get the token
>>during pam_setcred.
>
>
> pam_openafs_session.so relies on aklog -setpag, which is what sparked this
> whole discussion. That functionality appears to have broken with the
> latest kernels and the latest OpenAFS. I had one report that it started
> working again after reverting the kernel module to 1.4.2-fc3 and one
> report that that didn't help.
>
> -setpag is, as Jeff points out, living on borrowed time. It may be
> possible to fix this; I don't know the Linux kernel internals well enough
> to tell you. However, the best solution is to switch to a PAM module that
> creates a PAG through a direct system call during open_session or setcred.
OK, that is what pam_afs2.so does. It basicly uses the proc_afs_syscall
from sys/glue.c:
rval = proc_afs_syscall(AFSCALL_SETPAG,0,0,0,0,&ret);
glue.c or glue.o could be included/linked in.
Or go one step up, to lsetpag.c that calls the proc_afs_syscall
on Linux.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444