[OpenAFS] pam-afs-session 0.1 released

Douglas E. Engert deengert@anl.gov
Mon, 13 Nov 2006 16:17:17 -0600

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Russ Allbery wrote:

> I'm pleased to announce release 0.1 of a new AFS PAM session module that
> starts to implement the design that I posted to openafs-devel a while
> back.  Please note that this is the first beta release of a new package
> and is not yet suitable for production use.  I do, however, welcome
> testing and feedback.
> pam-afs-session is a PAM module intended for use with a Kerberos v5 PAM
> module to obtain an AFS PAG and AFS tokens on login.  It puts every new
> session in a PAG regardless of whether it was authenticated with Kerberos
> and runs a configurable external program to obtain tokens.  It supports
> using Heimdal's libkafs for the AFS interface and falls back to an
> internal Linux-only implementation if libkafs isn't available.
> You can download it from:
>     <http://www.eyrie.org/~eagle/software/pam-afs-session/>
> That URL also has a link to the to-do list.  Currently, the module only
> supports Linux and requires that you specify which program to run on the
> PAM option line.  See README for configuration details; there is no man
> page yet, but will be.
> The goals for a 1.0 release are porting to Solaris, adding a compile-time
> default for the program to run to obtain tokens, and adding a man page, as
> well as tracking down any bugs that show up in initial testing.
> Please let me know of any problems or feature requests.

Attached are some changes to get it to work on Solaris. I compiled
on 10 and 9, and ran it on 9 with sshd.

The mods use syscall to get a PAG and add a few include files.

Feature requests:

   * all aklog type programs support the -p <path> option, so that
     the user's home directory can be passed, so a token for the
     user's cell can be obtained.

   * Should a failure to get a PAG or token be a critical failure?
     i.e. if the routine is called on a system without AFS, or the
     AFS kernel extensions failed to load, which should sshd do?
     I would say continue on, but log a message. You return
     PAM_SESSION_ERR in a lot of these situations. Should this be
     an option?

   * Add support to trap signals around any calls to the AFS kernel
     extensions. This really only applies if syscall is used. This
     will keep a failure of AFS to load for keeping login to work.

   * Don't allow the aklog program to write to stdout or stderr,
     as the messages may be misinterpreted by the client, rsh for
     example could have problems. Something like this is the
     exec'ed process:

         close(1); open("/dev/null",O_WR_ONLY");
         close(2); open("/dev/null",O_WR_ONLY");

   * You specifically check for KRB5CCNAME, and only call the aklog
     if it is present. It is really up to the aklog program to find
     the credentials, and it should still be called.

      (1) On some systems like HP_UX that does not support pam_env,
          the KRB5CCNAME may not be set, yet tickets are available,
          using the default uid based cache name.

      (2) You are assuming that Kerberos is required. There are some
          AFS sites that run Globus, and use gssklog with the GLOBUS
          GSI using certificates to get an AFS token.

   * Do you want to call it pam_afs_session? Sam's routine has the same
     name. Should you use a different name? Your routine can be also be
     called from auth for pam_setcred. So why does it have _session?
     How about pam_afs3.



  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

--- ./,sys-linux.c	Fri Nov 10 19:07:31 2006
+++ ./sys-linux.c	Mon Nov 13 15:30:30 2006
@@ -9,6 +9,8 @@
  * that don't have libkafs or libkopenafs, or where a dependency on those
  * libraries is not desirable for some reason.
+ * Also works on Solaris  8, 9  and 10 with SYSCALL_NUM = 65  
+ *
  * A more robust implementation of the full kafs interface would have a
  * separate header file with the various system call constants and would
  * support more operations and the k_pioctl interface.  Since this is a
@@ -26,6 +28,14 @@
 #include <sys/types.h>
 #include <unistd.h>
+#if defined(sun)
+#include <sys/syscall.h>
+#include <sys/ioccom.h>
+#ifndef SYSCALL_NUM    
+#define SYSCALL_NUM 65
  * The struct passed to ioctl to do an AFS system call.  Definition taken from
  * the afs/afs_args.h OpenAFS header.
@@ -57,9 +67,12 @@
  * by Arla (at least some versions).
 static int
-afs_syscall(long syscall, long param1, long param2, long param3, long param4,
+afs_syscall(long syscall_afs, long param1, long param2, long param3, long param4,
             int *rval)
+#if defined(sun)
+	*rval = syscall(SYSCALL_NUM, syscall_afs, param1, param2, param3, param4);
     struct afsprocdata syscall_data;
     int fd, oerrno;
@@ -79,6 +92,7 @@
     oerrno = errno;
     errno = oerrno;
     return 0;
--- ./,configure.ac	Fri Nov 10 19:07:31 2006
+++ ./configure.ac	Mon Nov 13 15:01:24 2006
@@ -24,6 +24,10 @@
+	 *-solaris*) 
+		AC_LIBOBJ([sys-linux])
+		 ;;
          AC_MSG_ERROR([No suitable kafs implementation found])
@@ -36,6 +40,13 @@
     LDFLAGS="-Wl,-z,defs $LDFLAGS"
+	if test "x${CC}" = xgcc ; then
+		LDFLAGS="-Wl,-z,muldefs $LDFLAGS"
+	else
+		LDFLAGS="-z muldefs $LDFLAGS"
+	fi
+	;;
--- ./,logging.c	Fri Nov 10 19:07:31 2006
+++ ./logging.c	Mon Nov 13 14:28:15 2006
@@ -10,6 +10,7 @@
 #include "config.h"
+#include <security/pam_appl.h>
 #include <security/pam_modules.h>
 #include <stdarg.h>
 #include <stdio.h>
--- ./,internal.h	Fri Nov 10 19:07:31 2006
+++ ./internal.h	Mon Nov 13 14:32:15 2006
@@ -9,6 +9,7 @@
 #include "config.h"
+#include <security/pam_appl.h>
 #include <security/pam_modules.h>
 #include <stdarg.h>
--- ./,tokens.c	Fri Nov 10 19:07:31 2006
+++ ./tokens.c	Mon Nov 13 14:32:54 2006
@@ -13,6 +13,7 @@
 #include <errno.h>
 #include <pwd.h>
+#include <security/pam_appl.h>
 #include <security/pam_modules.h>
 #include <stdio.h>
 #include <string.h>