[OpenAFS] Obtain PAG/Token in pam_setcred() or in pam_open_session()?

Russ Allbery rra@stanford.edu
Thu, 10 May 2007 08:35:34 -0700

Hans Ranke <Hans.Ranke@ei.tum.de> writes:

> in the past, I used to configure PAM to setpag and obtain tokens during
> session setup.

> In the newest kdm version (3.5.6) this is no longer possible.
> Group changes during pam_open_session() are undone before the
> client is started, and so the PAG is lost.

> I opened a bug with KDE ( http://bugs.kde.org/show_bug.cgi?id=145188 )
> but the maintainer convincingly argues that credentials should be
> obtained by pam_setcred() instead.

> What is your opinion?
> Should one strive to manage the tokens in the authentication phase?

I think they're being silly, but my pam-afs-session module should work
fine since it tries to do PAG setup in setcred and then falls back to
doing it during open_session if setcred wasn't called.

>   - Applications like openssh, that get a krb5 ticket via GSSAPI and
>     need to get a token from it, might need to do it in the session
>     component of pam_krb5. Or maybe I should look into pam_afs_session.

OpenSSH calls setcred, so pam-afs-session should work fine if configured
to run as part of the auth group.  There are examples in the documentation
(it's a bit tricky since pam-afs-session doesn't actually provide an
authentication function).

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>