[OpenAFS] afs_pam2 - A simplier approach to AFS integration during
login
Douglas E. Engert
deengert@anl.gov
Thu, 14 Apr 2005 10:35:49 -0500
Derrick J Brashear wrote:
> On Thu, 14 Apr 2005, Douglas E. Engert wrote:
>
>>>> pam_afs2 in not doing authentication, it is there to get a PAG and
>>>> token
>>>> using the credentials saved by a previous pam or by the application
>>>> like
>>>> OpenSSH.
>>>
>>>
>>>
>>> I wrote that in like 1997, it was called pam_afs, used the kerberos
>>> tickets gotten by pam_krb4, and linked libraries instead of forking;-)
>>>
>>
>> Well do you have a newer version of this for krb5?
>
>
> No, it hasn't been touched since 1997;-) After working with PAM for a
> while I came to the conclusion that I hated working with PAM because of
> inconsistent application support (does the setcred hook work correctly?
> when are open/close session called? is the environment variable
> exporting correct? what is done before uid change and what is done
> after?) and sparse pam.conf keywords. (require pam_krb4 and then
> optional pam_afs, and then sufficient pam_unix was almost what I wanted)
I don't like pam either for the same reasons.
But as more and more packages are starting to support PAM, it looks like
the lessor of many evils, as it gets one out of modifying package source
code and into modifying pam.conf files instead.
As you point out, does the setcred work, when are open/close session called,
is the environment or the pam_setenv set?
I have tried to make pam_afs2 flexible enough to handle these situation.
It can be forced to do its thing from the pam_sm_authenticate, pam_sm_setcred,
or pam_sm_open_session.
On a system like HP-UX where it does not have a pam_setenv, the pam_afs2
can take a ccache= parameter, so at a minimum, it could use
ccache=FILE:/tmp/krb5cc_%u which would be the default cache used by
Kerberos. A %p for process id can also be used in the name.
If and when the vendor's improve their PAM, then this can be improved.
For example on Solaris with dtlogin, the pam_afs2 is used from
the pm_open_session:
dtlogin auth sufficient /krb5/lib/pam_krb5.so.1 use_first_pass \
forwardable force_creds
dtlogin session required /krb5/lib/pam_afs2.so.1
Where as when the screen is unlocked it is called from pam_sm_authenticate:
dtsession auth optional /krb5/lib/pam_krb5.so.1 use_first_pass \
forwardable force_creds refresh_creds
dtsession auth optional /krb5/lib/pam_afs2.so.1 force_afs nopag
And with OpenSSH-3.9 (with a patch that is in 4.x) pam_afs2 is called
to use the Kerberos cache created by pam_krb5, gssapi delegation or
the compiled in kerberos support.
sshd session required /krb5/lib/pam_afs2.so.1
pam_afs2.c is still a work in progress, and I have tried to make it
flexible. It needs more testing on different systems with different
combinations of vendor provided pam_krb5 routines.
I am using a modified version of Frank Cusack's pam_krb5, but have
started to look at the sourceforge pam_krb5 that is the basis for the
RedHat pam_krb5. I want to get to using the Solaris 10 pam_krb5
and the HP-UX 11.23 pam_krb5 before I retire!
>
> And probably you don't want it either.
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444