[OpenAFS] Obtain PAG/Token in pam_setcred() or in pam_open_session()?
Russ Allbery
rra@stanford.edu
Thu, 10 May 2007 08:35:34 -0700
Hans Ranke <Hans.Ranke@ei.tum.de> writes:
> in the past, I used to configure PAM to setpag and obtain tokens during
> session setup.
> In the newest kdm version (3.5.6) this is no longer possible.
> Group changes during pam_open_session() are undone before the
> client is started, and so the PAG is lost.
> I opened a bug with KDE ( http://bugs.kde.org/show_bug.cgi?id=145188 )
> but the maintainer convincingly argues that credentials should be
> obtained by pam_setcred() instead.
> What is your opinion?
> Should one strive to manage the tokens in the authentication phase?
I think they're being silly, but my pam-afs-session module should work
fine since it tries to do PAG setup in setcred and then falls back to
doing it during open_session if setcred wasn't called.
> - Applications like openssh, that get a krb5 ticket via GSSAPI and
> need to get a token from it, might need to do it in the session
> component of pam_krb5. Or maybe I should look into pam_afs_session.
OpenSSH calls setcred, so pam-afs-session should work fine if configured
to run as part of the auth group. There are examples in the documentation
(it's a bit tricky since pam-afs-session doesn't actually provide an
authentication function).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>