[OpenAFS] afs_pam2 - A simplier approach to AFS integration during login

Douglas E. Engert deengert@anl.gov
Thu, 14 Apr 2005 08:14:36 -0500


A few more comments in reference to the pam_afs in 1997, no aklog
and fork/exec.

We first developed ak5log in July 1996, when we where using DCE
as the Kerberos KDCs. DCE did not support k4 so everything had
to be done via K5, and krb524. Ak5log was (and still is)
fork/exec'ed by rlogind, telnetd, ftpd, login and now even
sshd.

See the announcement texst file at:
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/old/Anouncment.k56

...

The intent of the original note was to get OpenAFS to add
missing pieces such as pam_afs or pam_afs2 and make it easier
to add the "aklog" supplied by OpenAFS or a Kerberos developer
or by a site when not available from the above.



Derrick J Brashear wrote:

> On Wed, 13 Apr 2005, Douglas E. Engert wrote:
> 
>>>> pam_afs2.c will then call the gafstoken routine that will
>>>> get a PAG using syscalls, then fork/exec your favorite aklog,
>>>> ak5log, gssklog, or afslog to actually get the token.
> 
> 
> Ask Ken Hornstein about my mockery of forking aklog. Anyway,
> 
>>> Basically, you're doing the same thing as   pam_openafs_session.so   
>>> in debian.
>>
>>
>> Could be, but its for more then debian. I would like to see OpenAFS
>> provide the PAM routine that would run in any system.
> 
> 
> We don't provide aklog, afslog, ak5log, gssklog or fries with that yet, 
> so basically we'd be providing "hey buddy, wanna fork /bin/true?"
> 
>> pam_afs2 in not doing authentication, it is there to get a PAG and token
>> using the credentials saved by a previous pam or by the application like
>> OpenSSH.
> 
> 
> I wrote that in like 1997, it was called pam_afs, used the kerberos 
> tickets gotten by pam_krb4, and linked libraries instead of forking;-)
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444