[OpenAFS] home on afs woes

Juha Jäykkä juolja@utu.fi
Fri, 13 Jan 2006 21:00:06 +0200 

--Signature_Fri__13_Jan_2006_21_00_06_+0200_XlWkmX+PXWjBBlSo
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

> I would like to see the OpenAFS people pick this up and distribute the
> pam_afs2 or its equivalent with OpenAFS, as it is only used by AFS. The
> discussions on the list lately are headed this way.

I support that idea. It is the only pam module which does things the Right
Way(tm). I did some testing with OpenSSH 4.2, PAM and OpenAFS today (the
whole day, actually) and here is what I found out:

RedHat's pam_krb5.so

Will leak tokens (not create a PAG) when authenticating with pubkey
Gets tokens when given kerberos password
Does not get tokens when given the password pam_unix.so uses
Gets tokens when authenticating with gssapi
All this works no matter how sshd is configured


Debian's pam_krb5.so (where does this originate from?)

Will leak tokens (not create a PAG) when authenticating with pubkey
Does not get tokens when given the password pam_unix.so uses
Gets tokens when authenticating with gssapi
All this works no matter how sshd is configured

Debian's pam_krb5.so also gets the tokens when authenticating using
kerberos password IF AND ONLY IF the following sshd config variables have
the following values:

PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePrivilegeSeparation no


BOTH these modules need Douglas's pam_afs2.so to make sure someone creates
the PAG. Otherwise things get messy, like noted in earlier posts by
various people.

Does pam_afs2.so *always* create the PAG? I am a little worried it does
not, there are various ways in the code to "goto err" which bypasses the
call to libgafstoken, which sets the pag. Would it be possible to add a
check: if pam_afs2.so detects (available) AFS tokens, it would create the
new PAG no matter what? (No one should call pam_afs2.so twice anyway, so
there should be no fear of creating a new PAG over one we created
previously.)


Also, with RedHat's pam_krb5.so one can change the ticket lifetimes to
something different than the realm default. With Debian's this is not
possible (at least there is nothing about it in the docs).

> I used to be on the Globus project, but not any more. The gatekeeker
> was setup to be able to fork/exec the gssklog. There is a gatekeeper
> patch in with it too.  You could run the gssklog for the GLobus uses
> while still using Keerberos for your normal users.

This sounds very nice. I'll look into this after this AFS thing is
finished.

Cheers,
Juha

--=20
		 -----------------------------------------------
		| Juha J=E4ykk=E4, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|
		 -----------------------------------------------

--Signature_Fri__13_Jan_2006_21_00_06_+0200_XlWkmX+PXWjBBlSo
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDx/i5SqzK5nsyX0kRAmA1AJ92m1MeW1rsY7VnaKiiirorNJPv9wCdHzlU
PikMMYG2Own24+9kMcFK4oQ=
=T+Ku
-----END PGP SIGNATURE-----

--Signature_Fri__13_Jan_2006_21_00_06_+0200_XlWkmX+PXWjBBlSo--