[OpenAFS] kerberos + pam
Douglas E. Engert
deengert@anl.gov
Fri, 15 Oct 2004 13:39:44 -0500
Sensei wrote:
> On Thu, 2004-10-14 at 19:08, Maurizio Santini wrote:
>
>>1) When I use the module provided by kerberos package (pam_krb5afs.so) I
>>2) If I use the same module provided by
>>3) If I use the module pam_afs.krb.so provided by the openafs rpms I get
>
>
> I suppose that
> - you're not running kaserver
> - you have a kdc
> - you authenticate over k5
> - you want to get a token along with a ticket
>
> I'd suggest in trying pam_openafs_session from debian stable (simply
> aklog). None of the previous solutions worked for me. The third solution
> works only if you have a k4 ticket.
As you note this is quite complicated. See my note of 9/17/4
"[OpenAFS] The AFS + PAM + SSH Nightmare" If you are interested,
the first version of the gafstoken and pam_afs2 are available.
ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.1.tar
ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
The gafstoken is a single routine that will issue a syscall to get a PAG
then fork/exec your favorite aklog to get a token. gafstoken has
no AFS or Kerberos dependiencies (other then knowing the PAG syscall)
the pam_afs2 is a pam routine designed to work with some pam_krb5 or
OPenSSH calling PAM. pam_afs2 takes the pam_env_list and passes this
to gafstoken, so it is accessable to your aklog.
pam_afs2 has no kerberos of AFS code or dependencies either.
It is counting on the pam_krb5 or OpenSSH to saved the ticket cache and
have called pam_put_env with KRB5CCNAME. pam_krb5 can be run from the
pam_sm_authenticate, pam_sm_set_cred, or pam_sm_open_session depending
on how the calling application uses PAM.
These routines are new but do work well with Solaris so far. They should
work on other systems as well. I am looking for feedback.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444