[OpenAFS] PAGs aklog and PAM
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 13 Jun 2001 01:59:25 -0400 (EDT)
On Tue, 12 Jun 2001, Charles Clancy wrote:
> In looking at the aklog source, it looks like its PAG code used to do a
> setpag(), but now ktc_SetToken() takes care of that:
>
> from aklog_main.c:
> /*
> * The code that _used_ to be here called setpag(). When you think
> * about this, doing this makes no sense! setpag() allocates a PAG
> * only for the current process, so the token installed would have
> * not be usable in the parent! Since ktc_SetToken() now takes a
> * 4th argument to control whether or not we're going to allocate
> * a PAG (and since when you do it _that_ way, it modifies the cred
> * structure of your parent)), why don't we use that instead?
> */
>
> Does anyone have any comments on ktc_SetToken()? Would it be better to
> use that, instead of setpag()?
In aklog, yes. In a PAM module, no. ktc_SetToken stores a token in the
token cache. One of its arguments is a set of flags, and one of those
flags means to create a new PAG to hold the token being set. As the
comment above describes, when this mode is used, the new PAG is associated
not only with the process calling ktc_SetToken(), but also with the
_parent_ of that process. So, running 'aklog -setpag' from a shell
changes the shell's PAG -- useful, but not what you'd normally expect in a
UNIX environment.
The right thing to do for PAM modules or anything else that is doing a
login-like operation is to first call setpag() to set a new pag, and then
use ktc_SetToken with the flags set to 0. As Derrick mentions, there is a
library included with kth-krb4 and heimdal which hides the details of KTC
interactions. There is also a standalone library which can be used with
other Kerberos implementations.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA