[OpenAFS] AFS token, SSH, KRB[5]
Rainer Laatsch
Laatsch@rrz.uni-koeln.de
Tue, 19 Jun 2007 14:11:37 +0200 (CEST)
I updated the files slightly and added a 'README' in
/afs/rrz.uni-koeln.de/vol/pam/pam_runexec/
that hopefully answers some more questions.
May aim was to have a 'ready to run' module.
If a PAG gets lost, this code tries to reconnect the PAG
within PAM session. No special AFS trap handlers are used.
I tried to keep close to 'do_klog' from OpenAFS's pam_afs.so.1
The scanning of PAM parameters now allows a comma separated list to give
multiple arguments to the finally executed program.
A flag 'usekrb4' or 'usekrb5' in the PAM configuration file can
switch between kaserver and KRB5.
I like to use D. Engert's 'gssklog' that helps running both in parallel.
Best regards
Rainer Laatsch
________________________________ ______________________
E-mail: Laatsch@Uni-Koeln.DE Universitaet zu Koeln
Reg. Rechenzentrum (ZAIK/RRZK)
Fax : (0221) 478-5590 Robert-Koch-Str. 10
Tel : (0221) 478-5582 D-50931 Koeln
On Thu, 7 Jun 2007, Russ Allbery wrote:
> Rainer Laatsch <Laatsch@rrz.uni-koeln.de> writes:
>
> > Interested parties might want to have a look at
> > /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar
> > The pam_runexec is configurable to get a token by executing [KRB4]
> > klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included.
> > In "auth", a pag is set, and a session based ticket file is also created.
> > In "session", the pag is recovered and the ticket file permissions
> > corrected, if needed.
>
> Out of curiosity, what did you find was missing from existing PAM modules
> that led you to write your own?
>
>