[OpenAFS] pam-afs-session 0.2 released
Russ Allbery
rra@stanford.edu
Fri, 17 Nov 2006 16:32:31 -0800
I'm pleased to announce release 0.2 of my AFS session PAM module.
pam-afs-session is a PAM module intended for use with a Kerberos v5 PAM
module to obtain an AFS PAG and AFS tokens on login. It puts every new
session in a PAG regardless of whether it was authenticated with Kerberos
and runs a configurable external program to obtain tokens. It supports
using Heimdal's libkafs for the AFS interface and falls back to an
internal Linux-only implementation if libkafs isn't available.
Changes from previous release:
Add a man page.
Add a fallback implementation of the AFS system call for platforms
that use syscall, and add the signal handler protection for the
k_hasafs probe for those platforms. The PAM module should now build
on Solaris without requiring libkafs or libkopenafs.
Add an always_aklog option saying to always run aklog even if the user
doesn't appear to have a ticket cache.
Add an aklog_homedir option saying to pass -p <homedir> to aklog.
This will obtain tokens in whatever AFS cells are required to access
the user's home directory and can be used when something more complex
than obtaining tokens in the local default cell is needed.
Reopen stdout and stderr to /dev/null before running aklog so that any
error messages from aklog don't confuse the calling program.
Log a message if aklog fails, but return PAM_SUCCESS from the module
whether aklog succeeded or not. If we fail, the user may be kicked
out of their session even though AFS tokens may not be necessary and
only obtained as a convenience. Obtaining a PAG is still required.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-afs-session/>
Please let me know of any problems or feature requests.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>