[OpenAFS] Re: openSuSE 10.1 krb5 through windows kdc, openafs
1.4.x, PAM
Simon Wilkinson
sxw@inf.ed.ac.uk
Thu, 12 Apr 2007 21:43:04 +0100 (BST)
On Thu, 12 Apr 2007, Joe Buehler wrote:
> Alexander Al wrote:
>
>> Is there someone who could tell me how I should configure PAM
>> with krb5 with a Windows kdc and openafs client 1.4.x ?
>
> My own related question -- What is the "best" way to get AFS tokens
> during login when using krb5? There seems to be more than one way
> to do it, as far as PAM goes, and it is not clear to me what is
> currently best practice.
The best way I am aware of is to get your Kerberos 5 credentials using a
'normal' pam_krb5, running in the auth section of the stack. Then, use a
PAM AFS session module to use these to get AFS credentials at session
establishment (in the 'session' part of the PAM stack). There are two such
modules of which I am currently aware:
* Doug Engert's pam_afs2
(ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar and
ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar)
* Russ Allbery's pam_openafs_session
(http://www.eyrie.org/~eagle/software/pam-afs-session/)
We're currently using pam_afs2 here - I think it's likely we'll
investigate moving to pam_openafs_session for our next major release.
The place you'll generally run into pain is with OpenSSH - due to its
unique method of calling the PAM stack. Doing everything in a session
module dramatically reduces this pain.
Cheers,
Simon.