[OpenAFS] home on afs woes
Douglas E. Engert
Wed, 11 Jan 2006 16:01:20 -0600
Juha J=E4ykk=E4 wrote:
>>sshd won't leak this token to the user if your PAM setup is appropriate=
>>You have to make sure that the user is put into their own PAG as part o=
>>the session initialization process, even if they don't get a token.
> I would have thought pam_krb5.so  does this by itself, but apparentl=
> am mistaken (again).
Not really. pam_krb5 is for Kerberos. PAGs are for AFS. Kerberos is much
more widely used then AFS so many pam_krb5 routines don't know anything
about AFS, or PAGs. But some do, so look for a pam_krb5afs.so
> While it would be relatively easy to write a small
> pam module to handle the creation of a suitable PAG, I must wonder whet=
> one exists already?=20
Yes, pam_afs2 can be called after a pam_krb5 to get a PAG, and fork/exec
a aklog, ak5log, afslogin or gssklog to get the tokens.
> Anything that depends on aklog from openafs-krb5 will
> not do since it just segfaults (probably the AES keys again, but I did =
> test this point).
> By the way, is Heimdal's kinit/afslog at fault here for not creating th=
> proper PAG? It's very convenient to have kinit do all the tricks, but i=
> it does them wrong...
>>Ah! Thank you for saying! I never would have guessed that, and now
>>I'll know for the future.
> You're welcome.
>  The version from :pserver:email@example.com:/usr/local/CVS=
> it looks like it's the old RedHat pam_krb5.so emerged with the sf.net
> version and with still active development unlike any other pam_krb5.so =
> can find.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439