[OpenAFS] AFS tokens, PAM and FTP

Charles Clancy security@xauth.net
Thu, 26 Jun 2003 20:09:20 -0500 (CDT)


Are you _sure_ pam_openafs_session is getting you a token?  A "session" is
typically defined as a tty being allocated, thus I wouldn't expect an ftp
daemon to call the session PAM modules.

Could proftpd be trying to cd into the directory before it's done
authenticating (perhaps looking for some .proftp file, or something)?
What if you set the user's shell to / temporarily, FTP in, and then see if
they can cd into that directory once you're 100% sure the authentication
is done.

I've used proftpd with AFS via PAM in the past, but it was not in a krb5
environment.

[ t. charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]

On Thu, 26 Jun 2003, Chris Crowther wrote:

> Hey All,
>
> 	OK, well I've poked google around, looked at archives and so far all I've
> actually amanged to do is confuse myself slightly more (this is an
> achievement, I live in a permanent state of bewilderment).
>
> 	I'm trying to get proftpd to work with AFS by way of PAM.  I have
> pam_openafs_session grabbing tokens using the tickets grabbed by pam_krb5, as
> far as I can tell from the log files this is actually working.  Kerberos is
> issuing the ticket, the token is also getting issued and pam_openafs_session
> is saying that it got the token.
>
> 	Now, somewhere between getting the token and proftpd trying to cd into a
> user's home directory (which has an ACL on it only pemitting them to get in)
> the token is buggering off somewhere because it (proftpd) can't do it.
>
> 	Erm, so - help?  Anybody got any ideas?  Or even a miracle cure, which would
> be very nice.
>
> --
> Chris "_Shad0w_" Crowther
> chrisc@shad0w.org.uk
> http://www.shad0w.org.uk/
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>