[OpenAFS] help with pam-openafs-session

Charles Clancy security@xauth.net
Thu, 15 May 2003 11:06:16 -0500 (CDT)


On Tue, 13 May 2003, Renato Arruda wrote:

> Hi,
>
> I'm running OpenAFS 1.2.7 w/ a MIT KDC. As you can see i can get krb5 tickets
> and i can run aklog to get AFS tokens. i also have setup pam-openafs-session
> so that i could get a token at login time without having to aklog for it and
> so that i could store IMAP folders in home directories.
> ...
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_krb5afs.so
> session     optional      /lib/security/pam_openafs_session.so

I doubt your IMAP server is calling pam_open_session when authenticating
users.  Your session modules are likely never executed.  A "session" is
supposed to only be opened when a TTY is actually allocated for the
connection.  For example, SSH will call the session modules only if you
are really sshing in -- not if you're using scp.

Can pam_openafs_session be used as an authentication module?  Also, I
didn't think you needed pam_openafs_session when using pam_krb5afs -- only
when using pam_krb5.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]