[OpenAFS-port-darwin] krb5 aklog.loginlogout ?

Eric Knauel knauel@informatik.uni-tuebingen.de
Fri, 18 Jun 2004 11:30:06 +0200 

--=-=-=


On Fri 18 Jun 2004 10:38, Derrick J Brashear <shadow@dementia.org> writes:

>> Is there a possibility to tie the token to a PAG for the Aqua
>> session so it's not mixed with other sessions, i.e. ssh sessions to
>> the same machine by the same user id?
>
> Well, see, here's the thing. How do you get the WindowServer into a
> PAG?  Or rather, i guess the right way to ask that is, how do you
> get it into the PAG you want it in...

After running `pstree' I see the problem. Sigh.

>> Maybe it's easier to open a new PAG for each ssh session.  However,
>> finding a pam_krb5 for OS X that actually works seems to be another
>> problem...
>
> Bah, just build openssh with krb5 support directly. Don't go out of
> your way to find problems.

That would be too easy: In that setting there is now way to restrict
who can log on to my machine since it is configured to use NIS as a
user database.  So, any NIS-user who obtains a Kerberos ticket can log
in via ssh.  Unfortunatly, there is no way to add only a subset of
users from the NIS map in OS X --- this is possible with other OS by
saying `@certain-netgroup::' in /etc/passwd.

So I wrote a PAM module `pam_netgroup' that checks whether a user
belongs to a certain NIS netgroup.  However, if OpenSSH is configured
with PAM and Kerberos 5 and a user is verified successfully using
Kerberos sshd doesn't seem to call PAM anymore.  This is quite
annoying...

So far I have tried to get some pam_krb5 modules I found while making
intensive use of google to work with OS X (i.e., fetch a TGT on login
if the user has none and do aklog).  However, even the pam_krb5.c from
Apple's Darwin sources homepage (pam_modules-13 or so) doesn't fit to
the header files distributed with OS X 10.3.  Sigh.  I wish Apple
would upgrade PAM in OS X to FreeBSD 5 OpenPAM which seems to be less
broken than other PAM implementations.

-Eric
-- 
"Excuse me --- Di Du Du Duuuuh Di Dii --- Huh Weeeheeee" (Albert King)

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQBA0rYjbkvG5P2GZTMRAn+PAKCt14OLP6YXaglVbUwo5aTfdi7ZYACcDG3I
zTLtz7DCabvnFDYzlzsEDxw=
=xC1u
-----END PGP SIGNATURE-----
--=-=-=--