[OpenAFS] afs_pam2 - A simplier approach to AFS integration during login

Douglas E. Engert deengert@anl.gov
Tue, 12 Apr 2005 17:10:47 -0500 

As we start to use vendor provided Kerberos, OpenSSH and PAM modules,
AFS integration into the login process becomes more difficult, as
some vendors do not provide OpenAFS. We have no problems with installing
OpenAFS separately, but would like to not have to replace the vendor's
pam_krb5 or sshd modules that combine Kerberos and AFS.

Kerberos and OpenSSH are much more wildly known and accepted
by OS vendors and sysadmins then OpenAFS. Almost all vendors now support
Kerberos and SSH, but there are a lot of vendors that do not support
OpenAFS. And many sysadmins are reluctant to replace the PAM
and SSH to support OpenAFS versions. They may be willing to add
but not replace.


I would like to contribute to OpenAFS two source modules, pam_afs2.c
and gafstoken.c.  These can be found today in two separate build
packages:

          ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
	 ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar

pam_afs2.c is a PAM routine that can be called after a pam_krb5
routine has been called. All pam_afs2.c requires is that the pam_krb5
routine has stored the credentials and done pam_putenv of the
KRB5CCNAME.

pam_afs2.c will then call the gafstoken routine that will
get a PAG using syscalls, then fork/exec your favorite aklog,
ak5log, gssklog, or afslog to actually get the token.

Since pam_afs2.c and gafstoken.c have no AFS or Kerberos code
in them directly (other then the syscalls to get a PAG), this helps
to simplify the integration and avoids Kerberos lib name clashes and
eliminates 32 vs 64 bit version problems and allows for
integration at the pam.conf level.

I have been using these routines on Solaris 9 for almost 6 months
and AFS and Kerberos V5 work will with dtlogin, xscreesaver, xlock
and friends. Unlocking the screen will keep the same PAG, but get
a new Kerberos ticket and AFS token.

We have been using the MIT Kerberos on Solaris, but expect to
have a simple conversion to Solaris 10 using the Solaris Kerberos.

I have also done some testing on RedHat using their pam_krb5.o,
rather then the pam_krb5afs.o.

pam_afs2 also work well with OpenSSH pam session support, to get
the PAG and token, with no OpenSSH mods required.

The two tar files listed above will configure to build the
pam routine and the gafstoken lib. They each have a README
file which goes into more detail. A pam.conf file for Solaris is
also included in the tar file.


-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444