Andr� Balsa wrote:
On Tuesday 10 May 2005 23:13, Douglas E. Engert wrote:
With all the problems with the integration of Krb5, AFS, PAM, and OpenSSH. I would like to bring forth *again* the concepts of separating out the pam_krb5 from the pam_afs2 from the aklog.
The basic concepts are:
o Use the vendor's pam_krb5 without any AFS code.
o Provide a separate pam_afs that gets a PAG using syscall, or /proc and forks execs a separate program to get the AFS token passing KRB5CCNAME= from the pam_getenv to the program. The pam_afs2 has no AFS or Kerberos libs dependencies.
o The separate program is your favorite aklog with whatever version of Kerberos and AFS you want to use.
Hello,
This is just a short comment on the above.
The idea sounds good to me. I wish we could have an open discussion of the above, without any prejudice in favor or against the proposed changes.
I also understand this is a suggestion for the direction of future developments. Who would be responsible for implementing these changes and maintaining the corresponding code is another matter, as I believe the present OpenAFS team already has a high enough workload.
I would suggest the OpenAFS needs to maintain the pam_afs2 code and the gafstoken routine. What has happened without this is some Linux vendors have developed pam modules for krb5, or krb5+afs, but not all vendors do this, thus leaving it up to the sysadmin.
OpenAFS already has a aklog, and I have the gssklog for systems that don't have Kerberos exposed, and I have said it could be donated to OpenAFS.
If OpenAFS can provide the kernel extensions, they certainly can provide the simple PAM interface too.
There is not a lot of code here, two source files pam_afs2.c has 324 lines of code, and the gafstoken.c has 412 lines.
Thanks, regards,
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
