This is not directly related to openafs, but does this module support allowing users to change expired kerberos passwords via ssh keyboard-interactive login?
On Fri, May 06, 2005 at 05:25:08PM -0400, Christopher Allen Wing wrote: > Several people have been asking me as well as the OpenAFS list about > problems with the pam_krb5 PAM module included with Red Hat Enterprise > Linux 4. It has several bugs, including: > > - doesn't work properly with dynroot enabled > - may not work when your 'root.cell' volume is replicated across > more than 1 server > > > I finally got around to doing a proper fix for these issues. I rebuilt the > pam_krb5 RPM with the following changes: > > 1. pam_krb5 was basically doing 'fs whichcell /afs' to determine the name > of the local cell. So if you had dynroot enabled it wanted to obtain > tokens in a cell named 'dynroot'. I changed it to do the equivalent of 'fs > wscell' instead. > > 2. pam_krb5 only tries to get tokens for the local cell by default. I > changed it to also try to get tokens in the cell containing the user's > home directory, if different than the local cell. > > 3. pam_krb5 needs to know which Kerberos realm to use to obtain the AFS > service ticket. It basically uses the following procedure: > > fs whereis /afs/cell.name > > look up the DNS names of the file servers for /afs/cell.name > > use krb5_get_host_realm() on these DNS names to get the matching > Kerberos realm > > Aside from the question of whether or not this is the correct thing to do, > pam_krb5 was only passing a buffer big enough to hold 1 IP address when > looking up the servers containing /afs/cell.name. So if your root.cell > volume was replicated it would break. I fixed this. > > 4. Not all of the debugging statements in pam_krb5 were active, even when > 'debug' was specified in the pam configuration files. Some of the > debugging statements that didn't work were instrumental in figuring out > what was wrong with the above problems. > > 5. I also packaged the 'afs5log' program. This is included with the source > code of pam_krb5, and basically does the same thing as 'aklog', except > using Red Hat's own AFS code instead of the actual AFS libraries. > It's useful for debugging purposes since it acts mostly identically to > pam_krb5. > > > You can download the updated RPMs from here: > > > http://www-personal.engin.umich.edu/~wingc/openafs/pam_krb5/2.1.2-1.fixed/ > > > I compiled them both for i386 and x86_64 (AMD Athlon64/Opteron/Intel > EM32T). > > > Hopefully, these should fix any problems people are having with pam_krb5 > logins for users with AFS home directories. I don't know anything about > Fedora or other OSes, but I'd guess you should be able to recompile this > module on FC3 or similar systems at least. > > > > > I will be sending the patches to Red Hat very soon so hopefully future > versions of pam_krb5 will include the fixes. > > > Thanks, > > Chris Wing > [EMAIL PROTECTED] > _______________________________________________ > OpenAFS-devel mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-devel -- -------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' [EMAIL PROTECTED] Somone asked my why I work on this free (http://www.fsf.org/philosophy/) software stuff and not get a real job. Charles Shultz had the best answer: "Why do musicians compose symphonies and poets write poems? They do it because life wouldn't have any meaning for them if they didn't. That's why I draw cartoons. It's my life." -- Charles Shultz _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
