[OpenAFS] afs_pam2 - A simplier approach to AFS integration during
login
Franco "Sensei"
Sensei <senseiwa@tin.it>
Wed, 13 Apr 2005 17:49:23 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig2E6E2D4161A97D272FDA3DD2
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Douglas E. Engert wrote:
> As we start to use vendor provided Kerberos, OpenSSH and PAM modules,
> AFS integration into the login process becomes more difficult, as
> some vendors do not provide OpenAFS. We have no problems with installing
> OpenAFS separately, but would like to not have to replace the vendor's
> pam_krb5 or sshd modules that combine Kerberos and AFS.
Of course I would go with things as vanilla as possible.
> Kerberos and OpenSSH are much more wildly known and accepted
> by OS vendors and sysadmins then OpenAFS. Almost all vendors now support
> Kerberos and SSH, but there are a lot of vendors that do not support
> OpenAFS. And many sysadmins are reluctant to replace the PAM
> and SSH to support OpenAFS versions. They may be willing to add
> but not replace.
More or less...
> I would like to contribute to OpenAFS two source modules, pam_afs2.c
> and gafstoken.c. These can be found today in two separate build
> packages:
>
> ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
> ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar
Ok.
> pam_afs2.c is a PAM routine that can be called after a pam_krb5
> routine has been called. All pam_afs2.c requires is that the pam_krb5
> routine has stored the credentials and done pam_putenv of the
> KRB5CCNAME.
>
> pam_afs2.c will then call the gafstoken routine that will
> get a PAG using syscalls, then fork/exec your favorite aklog,
> ak5log, gssklog, or afslog to actually get the token.
Basically, you're doing the same thing as pam_openafs_session.so in
debian.
> Since pam_afs2.c and gafstoken.c have no AFS or Kerberos code
> in them directly (other then the syscalls to get a PAG), this helps
> to simplify the integration and avoids Kerberos lib name clashes and
> eliminates 32 vs 64 bit version problems and allows for
> integration at the pam.conf level.
If pam_afs2.so at session level like pam_openafs_session.so? Where is it
called?
> I have been using these routines on Solaris 9 for almost 6 months
> and AFS and Kerberos V5 work will with dtlogin, xscreesaver, xlock
> and friends. Unlocking the screen will keep the same PAG, but get
> a new Kerberos ticket and AFS token.
That's good.
> We have been using the MIT Kerberos on Solaris, but expect to
> have a simple conversion to Solaris 10 using the Solaris Kerberos.
>
> I have also done some testing on RedHat using their pam_krb5.o,
> rather then the pam_krb5afs.o.
I find better pam_krb5afs.so, but I didn't realize how to get pag before
enabling the shell (suse linux).
> pam_afs2 also work well with OpenSSH pam session support, to get
> the PAG and token, with no OpenSSH mods required.
It doesn't work for a SSO though. Am I right?
> The two tar files listed above will configure to build the
> pam routine and the gafstoken lib. They each have a README
> file which goes into more detail. A pam.conf file for Solaris is
> also included in the tar file.
I'll give it a chanche, but, did you try something for AIX?
--
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
<icqnum:241572242>
<yahoo!:sensei_sen>
<msn-id:sensei_sen@hotmail.com>
--------------enig2E6E2D4161A97D272FDA3DD2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCXaH34LBKhYmYotsRAgT4AJ0QARp5APY1mVdzJsdZGcmZ82fGWgCfSict
mi7JqOpKOb9VMWBUQFf+QY0=
=gnIT
-----END PGP SIGNATURE-----
--------------enig2E6E2D4161A97D272FDA3DD2--