[OpenAFS] Obtain PAG/Token in pam_setcred() or in pam_open_session()?
Thu, 10 May 2007 09:51:22 +0200
in the past, I used to configure PAM to setpag and obtain tokens
during session setup.
In the newest kdm version (3.5.6) this is no longer possible.
Group changes during pam_open_session() are undone before the
client is started, and so the PAG is lost.
I opened a bug with KDE ( http://bugs.kde.org/show_bug.cgi?id=145188 )
but the maintainer convincingly argues that credentials should be
obtained by pam_setcred() instead.
What is your opinion?
Should one strive to manage the tokens in the authentication phase?
Does it just work if pam is correctly configured or are there major issues?
I have not yet researched this path. What I see is:
- I cannot use pam_keyinit on linux, because it will destroy the PAG key
during session setup. Probably no big deal as long as only AFS uses
- Applications like openssh, that get a krb5 ticket via GSSAPI and
need to get a token from it, might need to do it in the session
component of pam_krb5. Or maybe I should look into pam_afs_session.
Or do you think token management should be done in session management?
If so, do you have convincing arguments for the KDE people?
mostly Fedora Linux, Kerberos 5 KDC.
Hans Ranke Ranke@tum.de
Lehrstuhl fuer Institute for
Entwurfsautomatisierung Electronic Design Automation
Technische Universitaet Muenchen, Germany
Phone +49 89 289 23660 Fax +49 89 289 63666