[OpenAFS] ssh and afs

Charles Clancy security@xauth.net
Mon, 13 May 2002 21:48:55 -0500 (CDT)


> > > Has anyone gotten pam-openafs-session working on Solaris 8? I am having
> > > a hell of a time with it...
> >
> > I had major problems with it too.  It just doesn't work.  It should be
> > called pam-linux-openafs-session.  That's why I wrote pam_aklog for
> > Solaris.
> >
>
> Thanks Charles for the pam module but I can't get it to work,
>
> I get this though when compiling, gcc 2.95.3 on solaris 8
>
> pam_aklog.c: In function `pam_sm_open_session':
> pam_aklog.c:39: warning: passing arg 2 of `execvp' from incompatible pointer type
>
> execvp's second argument via the man page is const *char argv[] which as far as I
> knew was not incompatiable with const char **argv?

Since *argv == argv[], gcc is just complaining about the "const" part,
which shouldn't really matter.  I was too lazy to resolve the warning for
that exact reason.

I just tried it out, and it worked for me.  There does seem to be a minor
problem with the Makefile.  You may need to "s/$AFSDIR/$(AFSDIR)/".  If
you got it to build, I suspect you already found that problem.

Since I'm on a kaserver-based cell at the moment, I created a fake
/usr/afsws/bin/aklog:

	#!/bin/sh

	echo "Running pretend aklog..."
	date >> /tmp/aklog-stuff
	/usr/local/bin/whoami >> /tmp/aklog-stuff

Make sure you specify the path and filename for aklog as an argument to
pam_aklog.so in /etc/pam.conf:

telnet session optional /usr/lib/security/pam_aklog.so.1 \
				/usr/afsws/bin/aklog

Testing it out:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


SunOS 5.8

login: tclancy
Password:
Running pretend aklog...
Last login: Mon May 13 21:11:42 from ...
Sun Microsystems Inc.    SunOS 5.8      Generic February 2000

You have no new email.
[tclancy] ismene:~> groups
tclancy 33536 32515

[tclancy] ismene:~> cat /tmp/aklog-stuff
Mon May 13 21:23:58 CDT 2002
tclancy

So it ran the program and got me a PAG.  I tested with telnet instead of
ssh because I'm off-campus for the summer and am accessing everything
through ssh in the first place, and don't want to mess things up and lose
access to my machine.

Hey, if you're still having problems with it 2 weeks from now, let me
know.  I'll be living in College Park, MD for the summer with nothing to
do on the weekends, and would gladly stop by.

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]
[  crypto  ][  coordinated science lab  ][  university of illinois  ]