[OpenAFS] Simplified integration of OpenAFS, Kerberos SSH and PAM (again)

Douglas E. Engert deengert@anl.gov
Tue, 10 May 2005 16:13:12 -0500

With all the problems with the integration of Krb5, AFS, PAM,
and OpenSSH. I would like to bring forth *again* the concepts of
separating out the pam_krb5 from the pam_afs2 from the aklog.

The basic concepts are:

  o Use the vendor's pam_krb5 without any AFS code.

  o Provide a separate pam_afs that gets a PAG using syscall, or
    /proc and forks execs a separate program to get the AFS token
    passing KRB5CCNAME= from the pam_getenv to the program.
    The pam_afs2 has no AFS or Kerberos libs dependencies.

  o The separate program is your favorite aklog with whatever
    version of Kerberos and AFS you want to use.

The beauty of this concept includes:

  o No shared lib problems between the pam_krb5 and the application,
    or the aklog.

  o You can use one version of Kerberos in the aklog and another
    in the application or pam_krb5.

  o It would allow OpenAFS to provide the pam_afs and either
    OpenAFS or the Kerberos vendors to provide the aklog.
    (MIT, Heimdal and OpenAFS all have some form of aklog.)

Two examples:
   (1) Sun Solaris 10 using Sun's Kerberos

We now have OpenAFS-1.3.81 running on Solaris 10 using
the Sun provided Kerberos and SSH. We are using the Sun provided
pam_krb5, with a pam_afs2.  Sun does not expose their Kerberos API,
but does have GSSAPI, so we are using the gssklog that links
with the SUN gssapi. They also call pam from everwhere, including
SSHD, telnetd, krshd, ftpd, krlogind, dtlogin, login...
So the pam.conf needed a few changes to add the pam_afs2
after the pam_krb5.  We can use Kerberos and get tickets anf AFS tokens
from the console, screen unlock, rshd, telnetd, sshd via user/password
or ssh gssapi-with-mic.

(Solaris 10 Kerberos has some glitches, but these can be worked out,
as the developers have been very responsive.)

(2) RedHat using Heimdal with PKINIT in pam_krb5, and MIT Kerberos
       for OpenSSH and ak5log.

We have pam_afs2 on a RedHat system where the pam_krb5 is
using the Heimdal Kerberos with PKINIT from GDM to authenticate
with Windows AD using a smartcard. But we are still using the
ak5log linked with the MIT Kerberos to get AFS tokens.

For more info see:


If anyone is interested in the Solaris 10 pam.conf file changes,
contact me.  We are still working with them.


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444