[OpenAFS] AFS Authentication from Apache?

Charles Clancy security@xauth.net
Sat, 19 Oct 2002 01:39:47 -0500 (CDT)


> I've been banging my head about this for quite some time, but I can't
> seem to get it to work. Basically, all I want to do is have users
> authenticate to Apache using their AFS accounts.
>
> I've tried using mod_auth_pam, but it doesn't work, returning cryptic
> error messages about the account not existing, having expired, etc. (in
> random order), and also disrupting the rest of the web sites. I presume
> this is because I have the sites in AFS space, and when the pam module
> is used, it obtains a token for the user logging in, destroying my
> apache token for that server process.

To use full-blown PAM, you'll need /etc/passwd-ish entries for your AFS
users.

I've used mod_auth_external in the past.  Essentially, you give apache the
name of a script and it pipes the username/password to it.  Depending on
the errorlevel when it script exists, it decides whether or not it was
successful.

I wrote a script that would grab a PAG, try to authenticate, then return
success or failure.  Since it directly called klog, it didn't need the
users to have NSS info to log in, and since it grabbed a new PAG, there
weren't any token overwriting issues.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]