[OpenAFS] aklog and PAM for Solaris
Douglas E. Engert
deengert@anl.gov
Tue, 23 Aug 2005 14:47:50 -0500
This is a multi-part message in MIME format.
--------------040309040801060705010203
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
In response to my own comment about trying aklog on Solaris 10 with the
built in Kerberos, I was able to get it to run. Attached are diffs
to the OpenAFS 1.4.0-rc1. Hopefully someone will find these useful, and will
cause others to ask Sun to include the krb5.h in the base distribution.
(See the note to the kerbers@mit.edu asking Sun these same questions.)
To do this required using the krb5/include from http://www.opensolaris.org
to get a krb5.h the MIT krb5-1.4.1 profile.h and com_err.h.
The changes in aklog are:
o Solaris 10 does not define u_int32_t, but does have a uint32_t
o Solaris does not have 524, and aklog can be run without it, in
some situations which includes 99% of our users, so I changed the
#error to a #define, and #ifdefed out the references to the 524 code.
o Since the Solaris Kerberos does not have add_error_table, but the
MIT com_err.h defines one, I commented out the use of add_error_table
to get it to run.
o The configure was done using:
KRB5CFLAGS="-I$K5BUILD/$SYS/krb5/include"
KRB5LIBS="/usr/lib/gss/mech_krb5.so -R/usr/lib/gss"
export KRB5CFLAGS
export KRB5LIBS
./configure --enable-transarc-paths \
--with-krb5=yes \
--enable-largefile-fileserver \
--host=sparc-sun-solaris2.10
There is another subtle problem in that our AFS servers are not in the
same Kerberos realm as 99% of the users (ANL.GOV) or the cell (anl.gov).
This required the use of the aklog -c and -k options.
So this is looking promising, we will continue to use gssklog that has
no problems with using the Solaris 10 Kerberos via GSSAPI.
Douglas E. Engert wrote:
>
>
> John Tang Boyland wrote:
>
>> I've been able to transition to using Kerberos V with the help
>> of people on this list and Ken's migration kit (thanks!). I put some
>> notes in the Wiki to fill in some gaps.
>>
>> I notice that openafs-1.3.87 includes aklog (good!) but it seems to be
>> missing a PAM module that can be used with krb5. The man page
>> pam_afs.5 says one should use pam_krb5 instead of pam_afs but of
>> course, pam_krb5 doesn't get AFS tokens. Because of the way dtlogin
>> works on Solaris, you need to get tokens before the .profile/.cshrc is
>> sourced. A PAM module seems to be the right thing. There are old
>> notes talking about pam_aklog (on Martin Schultz's old AFS-Krb5 web
>> page that is only available in Google caches) including about
>> T. Clancy's pam_aklog with a dead URL.
>>
>> (1) How do other sites handle this? Is pam_aklog passe ?
>
>
> We are uisng the Solaris 10 provided pam_krb5, and Solaris provided
> Kerberos which knows nothing about AFS.
>
> We have added an additional pam_afs2 that is called after the pam_krb5
> has sorted the tickets and set KRB5CCNAME in the pam_env. pam_afs2 then
> fork/exec of gssklog. It could just as easily fork/exec the aklog from
> 1.3.87 which is on my list of thing to try. Note that pam_afs2 has
> no Kerberos or AFS code, it just passes the pam_env with the KRB5CCNAME
> to tha gssklog or aklog.
>
> The above works with Solaris 10's version of SSHD, dtlogin, login, xlock
> ad xscreensaver. With xlock and xscrensver the tickets and tokens are
> refresehed. See attached pam.conf
>
> Solaris 10's sshd has some problems with trying to use the default
> ticket cache for a user, so we went back to using session based
> credentials where each session has its own ticket cache pointed
> at by KRB5CCNAME. To force the SSHD to do this, we added a
> pam_krb5_ccache that calls pam_put_env to preset the KRB5CCNAME
> to be used by the SSHD, thus going back to session based credentials.
>
> (On Solaris 9 we are are using a version of Frank Cusack's pam_krb5
> and pam_afs2 in some cases.)
>
>> (2) If not, how can I get it for Solaris ?
>> (2b) Is there some reason why it isn't integrated with
>> aklog in the src tree ? (or in the PAM directory.)
>
>
> I believe that the pam_krb5 and pam_afs* should not be integrated,
> on any system, as (I have said in the past.) Having them seperate allows
> one to use the vendor's pam_krb5.
>
>> (3) Can we get some documentation/help from this from Openafs.org ?
>> There are many places that ancourage one to use krb5 instead
>> of AFS kaserver, but one's left scrounging around in unofficial
>> RPM's off random websites to get something to work with Solaris.
>
>
> If anyone is interested, Here is one of those random sites:
>
> ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
> ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.3.tar
> ftp://achilles.ctd.anl.gov/pup/DEE/pam_krb5_ccache-0.1.tar
> ftp://achllles.ctd.anl.gov/pub/DEE/gssklog-0.11.tar
>
>
>
>> Thanks!
>> John
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>>
>
>
> ------------------------------------------------------------------------
>
> #
> #ident "@(#)pam.conf 1.28 04/04/21 SMI"
> #
> # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required pam_unix_cred.so.1
> krlogin auth binding pam_krb5.so.1
> krlogin auth required /krb5/lib/pam_afs2.so.1
> krlogin auth required pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh auth required pam_unix_cred.so.1
> krsh auth required pam_krb5.so.1
> krsh auth required /krb5/lib/pam_afs2.so.1
> #krsh auth required pam_unix_auth.so.1
>
> #
> # Kerberized telnet service
> #
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth binding pam_krb5.so.1
> #DEE leave unmodified till the pam.conf and pam_afs2 are stable
> #DEE leaves us a way on to machine
> # But this allows password login
> ktelnet auth required pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth required pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
>
> # DEE from pam_krb5_man pages:
>
> #DEE smartcard failed, so skip it for now
> #dtlogin auth requisite pam_smartcard.so.1
> dtlogin auth requisite pam_authtok_get.so.1
> dtlogin auth required pam_dhkeys.so.1
> dtlogin auth required pam_unix_cred.so.1
> dtlogin auth optional pam_krb5.so.1
> dtlogin auth required /krb5/lib/pam_afs2.so.1
> # allows password login
> dtlogin auth optional pam_unix_auth.so.1
>
> #
> # dtsession - lock/unlock screen, refresh creds and AFS token
> #
> dtsession auth requisite pam_authtok_get.so.1
> dtsession auth required pam_dhkeys.so.1
> dtsession auth optional pam_krb5.so.1
> dtsession auth required /krb5/lib/pam_afs2.so.1 nopag
> # allows unlock with local password
> dtsession auth optional pam_unix_auth.so.1
>
> #
> # xlock
> #
> xlock auth requisite pam_authtok_get.so.1
> xlock auth required pam_dhkeys.so.1
> xlock auth optional pam_krb5.so.1
> xlock auth required /krb5/lib/pam_afs2.so.1 nopag
> # allows unlock with local password
> xlock auth optional pam_unix_auth.so.1
>
> #
> # xscreensaver used by gnome or CDE
> #
> xscreensaver auth requisite pam_authtok_get.so.1
> xscreensaver auth required pam_dhkeys.so.1
> xscreensaver auth optional pam_krb5.so.1
> xscreensaver auth required /krb5/lib/pam_afs2.so.1 nopag
> # allows unlock with local password
> xscreensaver auth optional pam_unix_auth.so.1
> #
>
> #
> # sshd - keyboard interactive uses all PAM exits, but
> # PAM session is called when GSSAPI delegation or
> # Kerberos password used, so get AFS token in all three cases.
> # We want a session type cache, so with ANL PAM
> # pass in ccache= to account routine
> # RedHat PAM uses session caches already
> #
> sshd-kbdint auth requisite pam_authtok_get.so.1
> sshd-kbdint auth required pam_dhkeys.so.1
> sshd-kbdint auth required pam_krb5.so.1
> # allows login with local password
> sshd-kbdint auth optional pam_unix_auth.so.1
>
> sshd-kdbint account requisite pam_roles.so.1
> sshd-kdbint account required pam_unix_account.so.1
> sshd-kdbint account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_pw_%u_%p
>
> sshd-kdbint session required pam_unix_session.so.1
> sshd-kdbint session required /krb5/lib/pam_afs2.so.1
>
> # Used by GSS, but ssh has bug about saving creds, so we use session based creds.
>
> sshd-gssapi account requisite pam_roles.so.1
> sshd-gssapi account required pam_unix_account.so.1
> sshd-gssapi account required /krb5/lib/pam_krb5_ccache.so.1 ccache=/tmp/krb5cc_%u_%p
>
> sshd-gssapi session required pam_unix_session.so.1
> sshd-gssapi session required /krb5/lib/pam_afs2.so.1
> sshd-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 clean
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--------------040309040801060705010203
Content-Type: text/plain;
name="aklog.1.4.0-rc1.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="aklog.1.4.0-rc1.diff"
--- ./,aklog.h Mon Jul 11 14:07:00 2005
+++ ./aklog.h Tue Aug 23 10:50:24 2005
@@ -51,6 +51,10 @@
#define INST_SZ 40
#endif /* INST_SZ */
+#ifndef u_int32_t
+#define u_int32_t uint32_t
+#endif
+
struct ktext {
unsigned int length;
unsigned char dat[MAX_KTXT_LEN];
--- ./,aklog_main.c Mon Jul 18 21:51:53 2005
+++ ./aklog_main.c Tue Aug 23 12:44:36 2005
@@ -201,7 +201,7 @@
#if !defined(HAVE_KRB5_524_CONVERT_CREDS) && defined(HAVE_KRB524_CONVERT_CREDS_KDC)
#define krb5_524_convert_creds krb524_convert_creds_kdc
#elif !defined(HAVE_KRB5_524_CONVERT_CREDS) && !defined(HAVE_KRB524_CONVERT_CREDS_KDC)
-#error "You must have one of krb5_524_convert_creds or krb524_convert_creds_kdc available"
+#define HAVE_NO_KRB5_524
#endif
#endif /* WINDOWS */
@@ -631,6 +631,7 @@
get_cred_keylen(v5cred));
atoken.ticketLen = v5cred->ticket.length;
memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
+#ifndef HAVE_NO_KRB5_524
} else {
CREDENTIALS cred;
@@ -665,6 +666,7 @@
memcpy(&atoken.sessionKey, cred.session, 8);
atoken.ticketLen = cred.ticket_st.length;
memcpy(atoken.ticket, cred.ticket_st.dat, atoken.ticketLen);
+#endif /* HAVE_NO_KRB5_524 */
}
if (!force &&
@@ -1187,7 +1189,11 @@
"[-d] [[-cell | -c] cell [-k krb_realm]] ",
"[[-p | -path] pathname]\n",
" [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag] \n"
- " [-linked] [-524]\n");
+ " [-linked]"
+#ifndef HAVE_NO_KRB5_524
+ " [-524]"
+#endif
+ "\n");
fprintf(stderr, " -d gives debugging information.\n");
fprintf(stderr, " krb_realm is the kerberos realm of a cell.\n");
fprintf(stderr, " pathname is the name of a directory to which ");
@@ -1199,7 +1205,9 @@
fprintf(stderr, " -force means replace identical tickets. \n");
fprintf(stderr, " -linked means if AFS node is linked, try both. \n");
fprintf(stderr, " -setpag set the AFS process authentication group.\n");
+#ifndef HAVE_NO_KRB5_524
fprintf(stderr, " -524 means use the 524 converter instead of V5 directly\n");
+#endif
fprintf(stderr, " No commandline arguments means ");
fprintf(stderr, "authenticate to the local cell.\n");
fprintf(stderr, "\n");
@@ -1272,8 +1280,10 @@
linked++;
else if (strcmp(argv[i], "-force") == 0)
force++;
+#ifndef HAVE_NO_KRB5_524
else if (strcmp(argv[i], "-524") == 0)
do524++;
+#endif
else if (strcmp(argv[i], "-setpag") == 0)
afssetpag++;
else if (((strcmp(argv[i], "-cell") == 0) ||
@@ -1527,13 +1537,13 @@
#undef error_table
#ifndef HAVE_ADD_ERROR_TABLE
-void add_error_table (const struct error_table *);
+long add_error_table (const struct error_table *);
#endif /* !HAVE_ADD_ERROR_TABLE */
void
add_to_error_table(struct et_list *new_table)
{
- add_error_table((struct error_table *) new_table->table);
+// add_error_table((struct error_table *) new_table->table);
}
#endif /* HAVE_ADD_TO_ERROR_TABLE */
--------------040309040801060705010203--