[OpenAFS] home on afs woes

Douglas E. Engert deengert@anl.gov
Wed, 11 Jan 2006 16:01:20 -0600

Juha J=E4ykk=E4 wrote:

>>sshd won't leak this token to the user if your PAM setup is appropriate=
>>You have to make sure that the user is put into their own PAG as part o=
>>the session initialization process, even if they don't get a token.
> I would have thought pam_krb5.so [1] does this by itself, but apparentl=
y I
> am mistaken (again).

Not really. pam_krb5 is for Kerberos. PAGs are for AFS. Kerberos is much
more widely used then AFS so many pam_krb5 routines don't know anything
about AFS, or PAGs. But some do, so look for a pam_krb5afs.so

> While it would be relatively easy to write a small
> pam module to handle the creation of a suitable PAG, I must wonder whet=
> one exists already?=20

Yes, pam_afs2 can be called after a pam_krb5 to get a PAG, and fork/exec
a aklog, ak5log, afslogin or gssklog to get the tokens.

See ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar

> Anything that depends on aklog from openafs-krb5 will
> not do since it just segfaults (probably the AES keys again, but I did =
> test this point).
> By the way, is Heimdal's kinit/afslog at fault here for not creating th=
> proper PAG? It's very convenient to have kinit do all the tricks, but i=
> it does them wrong...
>>Ah!  Thank you for saying!  I never would have guessed that, and now
>>I'll know for the future.
> You're welcome.
> Cheers,
> Juha
> [1] The version from :pserver:anoncvs@rhlinux.redhat.com:/usr/local/CVS=
> it looks like it's the old RedHat pam_krb5.so emerged with the sf.net
> version and with still active development unlike any other pam_krb5.so =
> can find.


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444