[OpenAFS] pam-afs-session 0.2 released

Russ Allbery rra@stanford.edu
Fri, 17 Nov 2006 16:32:31 -0800

I'm pleased to announce release 0.2 of my AFS session PAM module.

pam-afs-session is a PAM module intended for use with a Kerberos v5 PAM
module to obtain an AFS PAG and AFS tokens on login.  It puts every new
session in a PAG regardless of whether it was authenticated with Kerberos
and runs a configurable external program to obtain tokens.  It supports
using Heimdal's libkafs for the AFS interface and falls back to an
internal Linux-only implementation if libkafs isn't available.

Changes from previous release:

    Add a man page.

    Add a fallback implementation of the AFS system call for platforms
    that use syscall, and add the signal handler protection for the
    k_hasafs probe for those platforms.  The PAM module should now build
    on Solaris without requiring libkafs or libkopenafs.

    Add an always_aklog option saying to always run aklog even if the user
    doesn't appear to have a ticket cache.

    Add an aklog_homedir option saying to pass -p <homedir> to aklog.
    This will obtain tokens in whatever AFS cells are required to access
    the user's home directory and can be used when something more complex
    than obtaining tokens in the local default cell is needed.

    Reopen stdout and stderr to /dev/null before running aklog so that any
    error messages from aklog don't confuse the calling program.

    Log a message if aklog fails, but return PAM_SUCCESS from the module
    whether aklog succeeded or not.  If we fail, the user may be kicked
    out of their session even though AFS tokens may not be necessary and
    only obtained as a convenience.  Obtaining a PAG is still required.

You can download it from:


Please let me know of any problems or feature requests.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>