With all the problems with the integration of Krb5, AFS, PAM, and OpenSSH. I would like to bring forth *again* the concepts of separating out the pam_krb5 from the pam_afs2 from the aklog.
The basic concepts are:
o Use the vendor's pam_krb5 without any AFS code.
o Provide a separate pam_afs that gets a PAG using syscall, or /proc and forks execs a separate program to get the AFS token passing KRB5CCNAME= from the pam_getenv to the program. The pam_afs2 has no AFS or Kerberos libs dependencies.
o The separate program is your favorite aklog with whatever version of Kerberos and AFS you want to use.
The beauty of this concept includes:
o No shared lib problems between the pam_krb5 and the application, or the aklog.
o You can use one version of Kerberos in the aklog and another in the application or pam_krb5.
o It would allow OpenAFS to provide the pam_afs and either OpenAFS or the Kerberos vendors to provide the aklog. (MIT, Heimdal and OpenAFS all have some form of aklog.)
Two examples: (1) Sun Solaris 10 using Sun's Kerberos
We now have OpenAFS-1.3.81 running on Solaris 10 using the Sun provided Kerberos and SSH. We are using the Sun provided pam_krb5, with a pam_afs2. Sun does not expose their Kerberos API, but does have GSSAPI, so we are using the gssklog that links with the SUN gssapi. They also call pam from everwhere, including SSHD, telnetd, krshd, ftpd, krlogind, dtlogin, login... So the pam.conf needed a few changes to add the pam_afs2 after the pam_krb5. We can use Kerberos and get tickets anf AFS tokens from the console, screen unlock, rshd, telnetd, sshd via user/password or ssh gssapi-with-mic.
(Solaris 10 Kerberos has some glitches, but these can be worked out, as the developers have been very responsive.)
(2) RedHat using Heimdal with PKINIT in pam_krb5, and MIT Kerberos for OpenSSH and ak5log.
We have pam_afs2 on a RedHat system where the pam_krb5 is using the Heimdal Kerberos with PKINIT from GDM to authenticate with Windows AD using a smartcard. But we are still using the ak5log linked with the MIT Kerberos to get AFS tokens.
For more info see:
ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.11.tar
If anyone is interested in the Solaris 10 pam.conf file changes, contact me. We are still working with them.
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
