[OpenAFS] help with pam-openafs-session
Charles Clancy
security@xauth.net
Thu, 15 May 2003 11:06:16 -0500 (CDT)
On Tue, 13 May 2003, Renato Arruda wrote:
> Hi,
>
> I'm running OpenAFS 1.2.7 w/ a MIT KDC. As you can see i can get krb5 tickets
> and i can run aklog to get AFS tokens. i also have setup pam-openafs-session
> so that i could get a token at login time without having to aklog for it and
> so that i could store IMAP folders in home directories.
> ...
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_krb5afs.so
> session optional /lib/security/pam_openafs_session.so
I doubt your IMAP server is calling pam_open_session when authenticating
users. Your session modules are likely never executed. A "session" is
supposed to only be opened when a TTY is actually allocated for the
connection. For example, SSH will call the session modules only if you
are really sshing in -- not if you're using scp.
Can pam_openafs_session be used as an authentication module? Also, I
didn't think you needed pam_openafs_session when using pam_krb5afs -- only
when using pam_krb5.
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]