[OpenAFS-port-darwin] Kerberos Plugin that calls a script (was Re: [OpenAFS-devel] aklog on MacOS X )

Ragnar Sundblad ragge@nada.kth.se
Sun, 23 Apr 2006 22:05:49 +0200 

On 21 apr 2006, at 21.05, Ben Poliakoff wrote:

> * hays@ibiblio.org <hays@ibiblio.org> [20060421 07:40]:
>
>> Use at your own risk, and if you do use it, please let me know =20
>> what you
>> think:
>>
>> <http://www.ibiblio.org/macsupport/kerberos/10.4/=20
>> afslogscript.loginLogout-0.0.1b2-src.tgz>
>> <http://www.ibiblio.org/macsupport/kerberos/10.4/=20
>> afslogscript.loginLogout-0.0.1b2.tgz>
>>
>
> I've tried it.  It seems to work as advertised.
>
> With the acknowledged caveat that executing shell commands *is* a bit
> of a security risk, this approach certainly gives the admin some nice
> flexibility (it can be used with OpenAFS or Arla).  What do others
> think?

Actually, my plugin works with both OpenAFS and Arla too (see below).
But Bil's approach may be better, it is probably less sensitive to
the changes in the kerberos/afs/whatever environment that happens every
now and then (but hopefully should occur less frequently one Mac OS X
now with the KPIs in place).

I am not yet completely sure that it is a good idea to run subprocesses
to the kerberos lib, eventhough it seems to work. Maybe we could/should
somehow get Apples to say that it is ok.

/ragge

### OpenAFS Devel partitial crosspost :-) ###
Begin forwarded message:
> From: Ragnar Sundblad <ragge@nada.kth.se>
> Date: m=E5ndag 10 apr 2006 04.20.08 GMT+02:00
> To: Ragnar Sundblad <ragge@nada.kth.se>
> Cc: OpenAFS Devel <openafs-devel@openafs.org>
> Subject: Re: [OpenAFS-devel] aklog on MacOS X was Re: Service =20
> Ticket Questions
...
> As far as I can tell, it works fine in 10.4.6 with LoginWindow,
> the screensaver, Kerberos.app and kinit.
>
> The current test version can be found here:
> <file:///afs/nada.kth.se/home/staff/ragge/out/test/>
> <ftp://ftp.nada.kth.se/pub/home/ragge/test/>
>
> /ragge
>
> =46rom the README:
> /*
> * afslog.loginLogout - 2006-04-10  Ragnar Sundblad, ragge@nada.kth.se
> *
> * A Kerberos plug-in that fetches AFS tokens for the user whenever
> * Kerberos tickets are acquired.
> *
> * This version is for Mac OS X 10.4 (Tiger), PowerPC or Intel,
> * and OpenAFS or Arla.
> *
> * It logs in /var/log/system.log using the Apple System Log =20
> facility (asl)
> *
> *
> * INSTALLATION
> *
> * Install the plugin in /Library/Kerberos Plug-Ins/ and put the =20
> following
> * row in your /Library/Preferences/edu.mit.Kerberos under the
> * [libdefaults] tag:
> *  login_logout_notification =3D afslog
> *
> * You may also want to enable kerberized login, see:
> * <http://docs.info.apple.com/article.html?artnum=3D107154>
> * WARNING: In 10.4.6 and probably earlier, you should not use
> * "Fast User Switching" and Kerberos login authentication.
> * If you do, you may find tickets in places where they shouldn't be.
> *
> * 0.0.2b2 - This version only supports server based 524 (default) or
> *  kerberos 5 tokens. It does not (yet) support local 524/2b.
> * [appdefaults]
> *    afs-use-524 =3D [ yes/true/1 =3D server-524 | no/anythingelse =3D =
=20
> krb5 tokens ]
> *
> * 0.0.2b2 - OpenAFS and Arla on Mac OS X 10.4 has different =20
> VIOC_SYSCALL_DEV
> *  defines. There is a workaround in this version to work with both.
> *  In the future they hopefully will get the same VIOC_SYSCALL_DEV,
> *  and then this plugin may have to be changed.
> *
> * BUILDING
> *
> * This plugin uses the MIT krbafs lib to do the main work.
> * It currently uses 1.2 and patches it to match heimdal 0.7.2++
> * The lib is fetched, patched and built when you build the xcode =20
> project.
> * Information about the krbafs lib: <http://web.mit.edu/openafs/=20
> krbafs/>
> *
> *
> * NOTES
> *
> * At console login time the plug in is called as root so we must =20
> setuid
> * to the user who's tickets we are finding.
> * This means, among other things, that the user name must match the
> * principal name. This might not be the case for all installations.
> * This solution seems less than ideal.
> *
> * In 10.4, we can not use syslog's openlog/syslog, since the seem to
> * interfere with authorizationhost (use by LoginWindow via securityd)
> * and KerberosAgent (the GUI for entering kerberos passwords.)
> * ASL seems to work though.
> *
> */
>