[OpenAFS] pam and openafs 1.2.7 for RH 7.2

[David Botsch]

Whil the auth_afs_token function is there, I believe it is misnamed. 
You will note that it is called from the do_authenticated1() function 
in session.c, which is called AFTER authentication takes place. The 
only purpose of this auth_afs_token() function seems to be to pass the 
token.


On 2002.10.08 16:19 Charles Clancy wrote:
> > As of openssh-3.4p1, to my knowledge, you cannot actually
> authenticate
> > with an afs token. You can only pass the token after authentication.
> > With Kerberos, however, you may be able to authenticate with the tgt
> you
> > already have.
> 
> Authentication methods defined in openssh-3.4p1/auth-krb4.c:
> 	int auth_krb4_password(Authctxt *authctxt, const char
> *password)
> 	int auth_krb4_tgt(Authctxt *authctxt, const char *string)
> 	int auth_afs_token(Authctxt *authctxt, const char
> *token_string)
> 
> Though I've never tried to use the third one.  ;)
> 
> > So, AFTER authentication (not before as used to be the case),
> openssh
> > can pass kerberos TGTs and afs tokens. It will appropriately set a
> > pagsh. You must compile openssh with the --with-afs --with-kerberos4
> > --with-kerberos5 (both client and server).
> 
> It can do pure TGT stuff without --with-afs.  You can do kaserver
> stuff
> without the --with-kerberos5.
> 
> > I do not believe that token passing actually involves PAM (you would
> use
> > PAM if you were doing password auth, but the process of doing a
> password
> > auth with PAM would get you an afs token).
> 
> Right.  Token passing most certainly does not involve PAM.  The module
> pam_afs.so can only do password-based authentication.
> 
> [ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
> 
> 

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************