Re: [OpenAFS] AFS token, SSH, KRB[5]
I updated the files slightly and added a 'README' in /afs/rrz.uni-koeln.de/vol/pam/pam_runexec/ that hopefully answers some more questions. May aim was to have a 'ready to run' module. If a PAG gets lost, this code tries to reconnect the PAG within PAM session. No special AFS trap handlers are used. I tried to keep close to 'do_klog' from OpenAFS's pam_afs.so.1 The scanning of PAM parameters now allows a comma separated list to give multiple arguments to the finally executed program. A flag 'usekrb4' or 'usekrb5' in the PAM configuration file can switch between kaserver and KRB5. I like to use D. Engert's 'gssklog' that helps running both in parallel. Best regards Rainer Laatsch __ E-mail: [EMAIL PROTECTED] Universitaet zu Koeln Reg. Rechenzentrum (ZAIK/RRZK) Fax : (0221) 478-5590 Robert-Koch-Str. 10 Tel : (0221) 478-5582 D-50931 Koeln On Thu, 7 Jun 2007, Russ Allbery wrote: Rainer Laatsch [EMAIL PROTECTED] writes: Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. In session, the pag is recovered and the ticket file permissions corrected, if needed. Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
I just sent an answer to Russ's question to the list. With the debugging of my code I try to analyze if and where an AFS token may get lost and possibly remedy that. As long as pam_afs works, there is no benefit here. When using gssklog, switching to KRB5 is much easier (there is no change to the master AFS KeyFile required). There are other pitfalls if the KRB5 ticket file is left with owner 'root' unaccessible to the user. That is fixed here. To effectively use the code, you must be an admin and possibly have KRB5 ready. The security question: there are pro's and con's ; finally one has to decide oneself. Best regards Rainer Laatsch __ E-mail: [EMAIL PROTECTED] Universitaet zu Koeln Reg. Rechenzentrum (ZAIK/RRZK) Fax : (0221) 478-5590 Robert-Koch-Str. 10 Tel : (0221) 478-5582 D-50931 Koeln On Fri, 15 Jun 2007, Paul Johnson wrote: On 6/7/07, Rainer Laatsch [EMAIL PROTECTED] wrote: Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. Dear Rainer: ... I'm just a client user of openafs, not a server administrator or programmer. How is the approach you propose different from pam_afs and what benefit do I (the pam-ignorant system administrator) get from using your approach? Until now, pam_afs has worked for me on Fedora Core 5 and 6, but I have some troubles in getting tokens in Fedora 7, so I might like to try your approach. But you don't give enough information for me to understand what your package does differently. I also wonder if there are security implications from making a change like this. pj ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
On 6/7/07, Rainer Laatsch [EMAIL PROTECTED] wrote: Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. Dear Rainer: Do you mind if I ask Russ's question in a way that won't provoke you. I'm just a client user of openafs, not a server administrator or programmer. How is the approach you propose different from pam_afs and what benefit do I (the pam-ignorant system administrator) get from using your approach? Until now, pam_afs has worked for me on Fedora Core 5 and 6, but I have some troubles in getting tokens in Fedora 7, so I might like to try your approach. But you don't give enough information for me to understand what your package does differently. I also wonder if there are security implications from making a change like this. pj -- Paul E. Johnson Professor, Political Science 1541 Lilac Lane, Room 504 University of Kansas ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] AFS token, SSH, KRB[5]
Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. In session, the pag is recovered and the ticket file permissions corrected, if needed. Some of the routines may be useful for other pam routines. This worked for me on RedHat EL5, kernel 2.6.18-1.2747.el5 with RedHat's delivered OpenSSH_4.3p2. Best regards Rainer Laatsch __ E-mail: [EMAIL PROTECTED] Universitaet zu Koeln Reg. Rechenzentrum (ZAIK/RRZK) Robert-Koch-Str. 10 D-50931 Koeln ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Rainer Laatsch [EMAIL PROTECTED] writes: Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. In session, the pag is recovered and the ticket file permissions corrected, if needed. Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Russ Allbery wrote: Rainer Laatsch [EMAIL PROTECTED] writes: Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. In session, the pag is recovered and the ticket file permissions corrected, if needed. Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? Out of curiosity, you're american I assume, so why does the concept of competition rises interest ? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Christof Hanke [EMAIL PROTECTED] writes: Russ Allbery wrote: Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? Out of curiosity, you're american I assume, so why does the concept of competition rises interest ? I'm not quite sure what you mean. I'm curious about all PAM implementations in this space because different implementations bring different ideas and different use cases, and I'd like to be aware of how other people are using PAM when writing PAM modules. I also occasionally give talks about AFS and PAM and like to mention all the available options so that people can pick what works best for their situation, so I like to know what the strengths and weaknesses of the available options are. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Russ Allbery wrote: Christof Hanke [EMAIL PROTECTED] writes: Russ Allbery wrote: Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? Out of curiosity, you're american I assume, so why does the concept of competition rises interest ? I'm not quite sure what you mean. I think it's pretty clear what you're trying to do, Russ. OBVIOUSLY, you're an American bastard trying to get a strangle-hold monopoly in the market for freely available open source PAM modules. They're apparently German trade secrets, and no, you cannot have that information. *rolls eyes* ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info