[OpenAFS] buggy openafs pam module?
Eric Cheu EKCHEU
ekcheu@uncg.edu
Thu, 11 Feb 2010 13:18:50 -0500
This is a multipart message in MIME format.
--=_alternative 0064B0FF852576C7_=
Content-Type: text/plain; charset="US-ASCII"
We're still using the old afs kas server at our university, and it took a
while to figure out what was going on. I've had no problems with the pam
module included in the open afs source distribution for solaris and with
sshd using pam. But with redhat linux I ran into some issues. pam was
giving back PAM_REINITIALIZE_CRED... but if you look at the code in
afs_setcred.c in the src/pam directory.. that code just returns back a
success message and no tokens. Had to modify the code to get tokens...
You would think that "reinitialize" would mean to reinitilize the
credentials and get tokens... but maybe it was done that way for a reason?
line 189 comment out these lines:
// } else if (flags & PAM_REINITIALIZE_CRED) {
// if (logmask && LOG_MASK(LOG_DEBUG))
// pam_afs_syslog(LOG_DEBUG, PAMAFS_REINITCRED, user);
// RET(PAM_SUCCESS);
insert these lines at about 305 or so:
if (flags & PAM_REINITIALIZE_CRED) {
if (use_klog)
auth_ok = !do_klog(user, password, NULL, cell_ptr);
else {
if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user,
/* kerberos name */
NULL, /* instance */
cell_ptr, /* realm
*/
password, /*
password */
0, /* default
lifetime */
&password_expires, 0, /*
spare 2 */
&reason /* error string */
)) {
pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED, user,
reason);
} else {
auth_ok = 1;
}
}
}
--=_alternative 0064B0FF852576C7_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">We're still using the old afs kas server
at our university, and it took a while to figure out what was going on.
I've had no problems with the pam module included in the open afs
source distribution for solaris and with sshd using pam. But with
redhat linux I ran into some issues. pam was giving back PAM_REINITIALIZE_CRED...
but if you look at the code in afs_setcred.c in the src/pam directory..
that code just returns back a success message and no tokens. Had
to modify the code to get tokens... You would think that "reinitialize"
would mean to reinitilize the credentials and get tokens... but maybe it
was done that way for a reason?</font>
<br>
<br><font size=2 face="sans-serif">line 189 comment out these lines:</font>
<br>
<br>
<br><font size=2 face="sans-serif">// } else if (flags &
PAM_REINITIALIZE_CRED) {</font>
<br>
<br><font size=2 face="sans-serif">// if (logmask &&
LOG_MASK(LOG_DEBUG))</font>
<br><font size=2 face="sans-serif">// pam_afs_syslog(LOG_DEBUG,
PAMAFS_REINITCRED, user);</font>
<br><font size=2 face="sans-serif">// RET(PAM_SUCCESS);</font>
<br>
<br>
<br><font size=2 face="sans-serif">insert these lines at about 305 or so:</font>
<br>
<br><font size=2 face="sans-serif"> if (flags
& PAM_REINITIALIZE_CRED) {</font>
<br><font size=2 face="sans-serif">
if (use_klog)</font>
<br><font size=2 face="sans-serif">
auth_ok = !do_klog(user, password, NULL, cell_ptr);</font>
<br><font size=2 face="sans-serif">
else {</font>
<br><font size=2 face="sans-serif">
if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user,
/* kerberos name */</font>
<br><font size=2 face="sans-serif">
NULL, /* instance
*/</font>
<br><font size=2 face="sans-serif">
cell_ptr,
/* realm */</font>
<br><font size=2 face="sans-serif">
password,
/* password */</font>
<br><font size=2 face="sans-serif">
0,
/* default lifetime */</font>
<br><font size=2 face="sans-serif">
&password_expires,
0, /* spare 2 */</font>
<br><font size=2 face="sans-serif">
&reason /* error
string */</font>
<br><font size=2 face="sans-serif">
)) {</font>
<br><font size=2 face="sans-serif">
pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED,
user,</font>
<br><font size=2 face="sans-serif">
reason);</font>
<br><font size=2 face="sans-serif">
} else {</font>
<br><font size=2 face="sans-serif">
auth_ok = 1;</font>
<br><font size=2 face="sans-serif">
}</font>
<br><font size=2 face="sans-serif">
}</font>
<br><font size=2 face="sans-serif"> }</font>
--=_alternative 0064B0FF852576C7_=--