[OpenAFS] pam-afs-session on OS X Lion

Dave Botsch botsch@cnf.cornell.edu
Wed, 21 Dec 2011 10:37:57 -0500


Well, I already have in that section...

        <key>authenticate</key>
        <dict>
            <key>class</key>
            <string>evaluate-mechanisms</string>
            <key>mechanisms</key>
            <array>
                <string>builtin:authenticate</string>
                <string>builtin:reset-password,privileged</string>
                <string>builtin:authenticate,privileged</string>
                <string>builtin:krb5authnoverify,privileged</string>
                <string>PKINITMechanism:auth,privileged</string>
                <string>aklog:cnf.cornell.edu,privileged</string>
            </array>
        </dict>

and the screensaver refreshes Kerberos tickets but not AFS tokens. You
had mentioned adding the aklog to the mechanisms in the
system.login.screensaver, but that section doesn't even have a
mechanisms section:

        <key>system.login.screensaver</key>
        <dict>
            <key>class</key>
            <string>rule</string>
            <key>comment</key>
            <string>The owner or any administrator can unlock the
screensaver.</string>
            <key>rule</key>
            <string>authenticate-session-owner-or-admin</string>
        </dict>


On Wed, Dec 21, 2011 at 10:29:39AM -0500, Derrick Brashear wrote:
> given whe system.login.screensaver gets its rules from, i suspect you
> need aklog at the end of here, so an admin can still screen unlock,
> but if a user authenticates the tokens refresh. and if admin
> authenticates and no ticket is written, i wonder what happens...
>                 <key>authenticate</key>
>                 <dict>
>                         <key>class</key>
>                         <string>evaluate-mechanisms</string>
>                         <key>mechanisms</key>
>                         <array>
>                                 <string>builtin:authenticate</string>
>=20
> <string>builtin:reset-password,privileged</string>
>                                 <string>builtin:authenticate,privileged=
</string>
>                                 <string>PKINITMechanism:auth,privileged=
</string>
>                         </array>
>                 </dict>
>=20
>=20
> On Wed, Dec 21, 2011 at 10:14 AM, Dave Botsch <botsch@cnf.cornell.edu> =
wrote:
> > It's a question of where the screensaver looks for its config.
> >
> > On Tue, Dec 20, 2011 at 05:40:17PM -0500, Brandon Allbery wrote:
> >> On Tue, Dec 20, 2011 at 16:04, Dave Botsch <botsch@cnf.cornell.edu> =
wrote:
> >>
> >> > Makes me wonder, though, why the kerberos ticket renewal still wor=
ks
> >> > there even though that's not specifically in the screensaver.
> >>
> >>
> >> How do you check a Kerberos password? =A0You use it to get a ticket.
> >>
> >> --
> >> brandon s allbery =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0 =A0allbery.b@gmail.com
> >> wandering unix systems administrator (available) =A0 =A0 (412) 475-9=
364 vm/sms
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > botsch@cnf.cornell.edu
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20
>=20
> --=20
> Derrick
>=20

--=20
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************