[OpenAFS] AFS token, SSH, KRB[5]

Rainer Laatsch Laatsch@rrz.uni-koeln.de
Tue, 19 Jun 2007 15:11:53 +0200 (CEST)

I just sent an answer to Russ's question to the list. With the debugging
of my code I try to analyze if and where an AFS token may get lost and
possibly remedy that. As long as pam_afs works, there is no benefit here.
When using gssklog, switching to KRB5 is much easier (there is no change
to the master AFS KeyFile required). There are other pitfalls if the KRB5
ticket file is left with owner 'root' unaccessible to the user. That is
fixed here.
 To effectively use the code, you must be an admin and possibly have KRB5
ready. The security question: there are pro's and con's ; finally one has
to decide oneself.
Best regards
Rainer Laatsch
________________________________	______________________
E-mail: Laatsch@Uni-Koeln.DE		Universitaet zu Koeln
					Reg. Rechenzentrum (ZAIK/RRZK)
Fax   : (0221) 478-5590			Robert-Koch-Str. 10
Tel   : (0221) 478-5582			D-50931 Koeln

On Fri, 15 Jun 2007, Paul Johnson wrote:

> On 6/7/07, Rainer Laatsch <Laatsch@rrz.uni-koeln.de> wrote:
> > Interested parties might want to have a look at
> > /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar
> > The pam_runexec is configurable to get a token by executing [KRB4]
> > klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included.
> > In "auth", a pag is set, and a session based ticket file is also created.
> Dear Rainer:
> ...
> I'm just a client user of openafs, not a server administrator or
> programmer.  How is the approach you propose different from pam_afs
> and what benefit do I (the pam-ignorant system administrator) get from
> using your approach?
> Until now, pam_afs has worked for me on Fedora Core 5 and 6, but I
> have some troubles in getting tokens in Fedora 7, so I might like to
> try your approach.  But you don't give enough information for me to
> understand what your package does differently.  I also wonder if there
> are security implications from making a change like this.
> pj