[OpenAFS] home on afs woes

Douglas E. Engert deengert@anl.gov
Fri, 13 Jan 2006 13:32:35 -0600


Juha J=E4ykk=E4 wrote:

>>I would like to see the OpenAFS people pick this up and distribute the
>>pam_afs2 or its equivalent with OpenAFS, as it is only used by AFS. The
>>discussions on the list lately are headed this way.
>=20
>=20
> I support that idea. It is the only pam module which does things the Ri=
ght
> Way(tm). I did some testing with OpenSSH 4.2, PAM and OpenAFS today (th=
e
> whole day, actually) and here is what I found out:
>=20
> RedHat's pam_krb5.so
>=20
> Will leak tokens (not create a PAG) when authenticating with pubkey
> Gets tokens when given kerberos password
> Does not get tokens when given the password pam_unix.so uses
> Gets tokens when authenticating with gssapi
> All this works no matter how sshd is configured
>=20
>=20
> Debian's pam_krb5.so (where does this originate from?)
>=20
> Will leak tokens (not create a PAG) when authenticating with pubkey
> Does not get tokens when given the password pam_unix.so uses
> Gets tokens when authenticating with gssapi
> All this works no matter how sshd is configured
>=20
> Debian's pam_krb5.so also gets the tokens when authenticating using
> kerberos password IF AND ONLY IF the following sshd config variables ha=
ve
> the following values:
>=20
> PasswordAuthentication yes
> ChallengeResponseAuthentication no
> UsePrivilegeSeparation no
>=20
>=20
> BOTH these modules need Douglas's pam_afs2.so to make sure someone crea=
tes
> the PAG. Otherwise things get messy, like noted in earlier posts by
> various people.
>=20
> Does pam_afs2.so *always* create the PAG?=20

Yes, unless you passed in the nopag option. Usefull for xlock or xscreens=
aver
to reuse the curent PAG. Tell the pam_krb5 to reuse the ticket cache at t=
he
same time.


> I am a little worried it does
> not, there are various ways in the code to "goto err" which bypasses th=
e
> call to libgafstoken, which sets the pag. Would it be possible to add a
> check: if pam_afs2.so detects (available) AFS tokens, it would create t=
he
> new PAG no matter what?=20

Not really. pam_afs2 does not detect if there is a PAG already, or if
there are any tokens. Its does not have any AFS code in it, only the sysc=
all
fork and exec.

(No one should call pam_afs2.so twice anyway, so
> there should be no fear of creating a new PAG over one we created
> previously.)
>
>=20
> Also, with RedHat's pam_krb5.so one can change the ticket lifetimes to
> something different than the realm default. With Debian's this is not
> possible (at least there is nothing about it in the docs).
>=20
>=20
>>I used to be on the Globus project, but not any more. The gatekeeker
>>was setup to be able to fork/exec the gssklog. There is a gatekeeper
>>patch in with it too.  You could run the gssklog for the GLobus uses
>>while still using Keerberos for your normal users.
>=20
>=20
> This sounds very nice. I'll look into this after this AFS thing is
> finished.
>=20
> Cheers,
> Juha
>=20

--=20

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444