Russ Allbery wrote:
I'm pleased to announce release 0.1 of a new AFS PAM session module that
starts to implement the design that I posted to openafs-devel a while
back. Please note that this is the first beta release of a new package
and is not yet suitable for production use. I do, however, welcome
testing and feedback.
pam-afs-session is a PAM module intended for use with a Kerberos v5 PAM
module to obtain an AFS PAG and AFS tokens on login. It puts every new
session in a PAG regardless of whether it was authenticated with Kerberos
and runs a configurable external program to obtain tokens. It supports
using Heimdal's libkafs for the AFS interface and falls back to an
internal Linux-only implementation if libkafs isn't available.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-afs-session/>
That URL also has a link to the to-do list. Currently, the module only
supports Linux and requires that you specify which program to run on the
PAM option line. See README for configuration details; there is no man
page yet, but will be.
The goals for a 1.0 release are porting to Solaris, adding a compile-time
default for the program to run to obtain tokens, and adding a man page, as
well as tracking down any bugs that show up in initial testing.
Please let me know of any problems or feature requests.
Attached are some changes to get it to work on Solaris. I compiled
on 10 and 9, and ran it on 9 with sshd.
The mods use syscall to get a PAG and add a few include files.
Feature requests:
* all aklog type programs support the -p <path> option, so that
the user's home directory can be passed, so a token for the
user's cell can be obtained.
* Should a failure to get a PAG or token be a critical failure?
i.e. if the routine is called on a system without AFS, or the
AFS kernel extensions failed to load, which should sshd do?
I would say continue on, but log a message. You return
PAM_SESSION_ERR in a lot of these situations. Should this be
an option?
* Add support to trap signals around any calls to the AFS kernel
extensions. This really only applies if syscall is used. This
will keep a failure of AFS to load for keeping login to work.
* Don't allow the aklog program to write to stdout or stderr,
as the messages may be misinterpreted by the client, rsh for
example could have problems. Something like this is the
exec'ed process:
close(1); open("/dev/null",O_WR_ONLY");
close(2); open("/dev/null",O_WR_ONLY");
* You specifically check for KRB5CCNAME, and only call the aklog
if it is present. It is really up to the aklog program to find
the credentials, and it should still be called.
(1) On some systems like HP_UX that does not support pam_env,
the KRB5CCNAME may not be set, yet tickets are available,
using the default uid based cache name.
(2) You are assuming that Kerberos is required. There are some
AFS sites that run Globus, and use gssklog with the GLOBUS
GSI using certificates to get an AFS token.
* Do you want to call it pam_afs_session? Sam's routine has the same
name. Should you use a different name? Your routine can be also be
called from auth for pam_setcred. So why does it have _session?
How about pam_afs3.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ./,sys-linux.c Fri Nov 10 19:07:31 2006
+++ ./sys-linux.c Mon Nov 13 15:30:30 2006
@@ -9,6 +9,8 @@
* that don't have libkafs or libkopenafs, or where a dependency on those
* libraries is not desirable for some reason.
*
+ * Also works on Solaris 8, 9 and 10 with SYSCALL_NUM = 65
+ *
* A more robust implementation of the full kafs interface would have a
* separate header file with the various system call constants and would
* support more operations and the k_pioctl interface. Since this is a
@@ -26,6 +28,14 @@
#include <sys/types.h>
#include <unistd.h>
+#if defined(sun)
+#include <sys/syscall.h>
+#include <sys/ioccom.h>
+#ifndef SYSCALL_NUM
+#define SYSCALL_NUM 65
+#endif
+#endif
+
/*
* The struct passed to ioctl to do an AFS system call. Definition taken from
* the afs/afs_args.h OpenAFS header.
@@ -57,9 +67,12 @@
* by Arla (at least some versions).
*/
static int
-afs_syscall(long syscall, long param1, long param2, long param3, long param4,
+afs_syscall(long syscall_afs, long param1, long param2, long param3, long
param4,
int *rval)
{
+#if defined(sun)
+ *rval = syscall(SYSCALL_NUM, syscall_afs, param1, param2, param3,
param4);
+#else
struct afsprocdata syscall_data;
int fd, oerrno;
@@ -79,6 +92,7 @@
oerrno = errno;
close(fd);
errno = oerrno;
+#endif
return 0;
}
--- ./,configure.ac Fri Nov 10 19:07:31 2006
+++ ./configure.ac Mon Nov 13 15:01:24 2006
@@ -24,6 +24,10 @@
*-linux*)
AC_LIBOBJ([sys-linux])
;;
+ *-solaris*)
+ CFLAGS="$CFLAGS -Dsun"
+ AC_LIBOBJ([sys-linux])
+ ;;
*)
AC_MSG_ERROR([No suitable kafs implementation found])
;;
@@ -36,6 +40,13 @@
*-linux*)
LDFLAGS="-Wl,-z,defs $LDFLAGS"
;;
+*-solaris*)
+ if test "x${CC}" = xgcc ; then
+ LDFLAGS="-Wl,-z,muldefs $LDFLAGS"
+ else
+ LDFLAGS="-z muldefs $LDFLAGS"
+ fi
+ ;;
esac
AC_CONFIG_HEADER([config.h])
--- ./,logging.c Fri Nov 10 19:07:31 2006
+++ ./logging.c Mon Nov 13 14:28:15 2006
@@ -10,6 +10,7 @@
#include "config.h"
+#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <stdarg.h>
#include <stdio.h>
--- ./,internal.h Fri Nov 10 19:07:31 2006
+++ ./internal.h Mon Nov 13 14:32:15 2006
@@ -9,6 +9,7 @@
#include "config.h"
+#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <stdarg.h>
--- ./,tokens.c Fri Nov 10 19:07:31 2006
+++ ./tokens.c Mon Nov 13 14:32:54 2006
@@ -13,6 +13,7 @@
#include <errno.h>
#include <pwd.h>
+#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <stdio.h>
#include <string.h>
