[OpenAFS] help with pam-openafs-session

Charles Clancy security@xauth.net
Thu, 15 May 2003 17:50:40 -0500 (CDT) 

On Thu, 15 May 2003, Derek T. Yarnell wrote:

> On Thu, May 15, 2003 at 11:06:16AM -0500, Charles Clancy wrote:
>
> > On Tue, 13 May 2003, Renato Arruda wrote:
> >
> > > I'm running OpenAFS 1.2.7 w/ a MIT KDC. As you can see i can get krb5 tickets
> > > and i can run aklog to get AFS tokens. i also have setup pam-openafs-session
> > > so that i could get a token at login time without having to aklog for it and
> > > so that i could store IMAP folders in home directories.
> >
> > I doubt your IMAP server is calling pam_open_session when authenticating
> > users.  Your session modules are likely never executed.  A "session" is
> > supposed to only be opened when a TTY is actually allocated for the
> > connection.  For example, SSH will call the session modules only if you
> > are really sshing in -- not if you're using scp.
>
> No it is a session module only, I would think that maybe you need to
> make sure it is running a setpag.

If it's session only, then it's not going to work.  It has nothing to do
with the PAG.  I'm not sure which imap daemon is being used, but for
example, the latest wu-imapd's pam code looks like:

  if ((pam_start ((char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
                  pw->pw_name,&conv,&hdl) != PAM_SUCCESS) ||
      (pam_set_item (hdl,PAM_RHOST,tcp_clientaddr ()) != PAM_SUCCESS) ||
      (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
      (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
      (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
                                /* clean up */
    pam_setcred (hdl,PAM_DELETE_CRED);
    pam_end (hdl,PAM_AUTH_ERR); /* failed */

No call to pam_open_session(), thus no session modules are run.  They
actually do have a call to it, but it's disabled:

  #if 0
  /*
   * Some people have reported that this causes a SEGV in strncpy() from
   * pam_unix.so.1
   */
  /*
   * This pam_open_session() call is inconsistant with how we handle other
   * platforms, where we don't write [uw]tmp records.  However, unlike our
   * code on other platforms, pam_acct_mgmt() will check those records for
   * inactivity and deny the authentication.
   */
  pam_open_session (hdl,NIL);   /* make sure account doesn't go inactive
  */
  #endif

You could patch your imapd source, patch pam_openafs_session to run aklog
during pam_setcred(), or use a different module.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]