[OpenAFS] PAM and aklog revisit

Douglas E. Engert deengert@anl.gov
Thu, 18 May 2006 20:10:55 -0500

Let me point out one of the features of the pam_afs2. It has no Kerberos
code, and no AFS code (But does know how to get a PAG). Its function is to
fork/exec aklog, or gssklog or whatever program you specify. It makes sure
the Kerberos ticket cache exists, and passes the KRB5CCNAME to it.

Thus you can use it with existing pam_krb5 modules that don't know about AFS
or with sshd with the forwarded gssapi credentials.  For example we use
it on Solaris 10 and use the Solaris 10 pam_krb5 and sshd.

As Russ indicated I would hope it would be used as a starting point for
any pam_afs module distributed by OpenAFS.

See ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar

Jeff Blaine wrote:
> Is it safe to say that there will likely not be any
> official pam_aklog module to stack and I should
> start writing my own?
> The code referenced in the message below no longer
> exists at the site indicated.  In fact, the directory
> tree is gone even.
> http://lists.openafs.org/pipermail/openafs-info/2001-May/000945.html
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444