Jeffrey Hutzelman wrote:
On Tuesday, October 31, 2006 09:01:07 AM -0600 "Douglas E. Engert"
<[EMAIL PROTECTED]> wrote:
Rather then having to modify ssh to swap the order of the
calls to pam_setcred and pam_open_session, you could look at
using one of the pam_afs module that will get the token and PAG
during the pam_setcred. For example the pam_openafs_session.so
module can be called from "auth" and it will get the token
during pam_setcred.
The PAM module that ships with OpenAFS does this. However, rather than
reusing whatever password
Password? I thought we are talking K5, where the K5 ticket is obtained
either via pam_krb5, or via delegated GSSAPI credential as sshd does,
so AFS only needs the location of the ticket cache.
the user most recently typed, it uses the same
password with which the auth module successfully obtained a token. This
is entirely reasonable, because PAM does not call the setcred methods of
modules whose authenticate method did not succeed.
However, ssh runs the authenticate operation in a separate process, with
no opportunity to communicate that password to the setcred method. We
call back into the PAM framework to set a module-specific data item, but
then when we return, the process exits, taking our data with it.
I must admit that when I did compile OpenSSH on Solaris <= 5.9, HP_UX and
on Linux I used the UNSUPPORTED_POSIX_HACK. With Solaris 10 and Ubuntu
we are using the vendor's sshd.
With gssapi as Simon points out sshd does not call pam_setcred.
The OpenAFS PAM module does nothing at all in pam_open_session, so the
relative order of calls to setcred and open_session does not matter.
However, the order in which they are called with respect to other
operations may be relevant.
If I was to integrate pam_afs2 into the AFS source tree would it be
considered for inclusion?
Some features:
* expects krb5 ticket cache is available via KRB5CNAME in pam_env.
On a system like HP_UX which does not have pam_env, it can derive
the name.
* Getting the pag is optional. Useful from xscrensaver or gnome-screensaver
to renew the token when the screen is unlocked.
* It has no krb5 code, but fork/execs your favorite aklog to get token.
* The tokens/PAG can be obtained at pam_setcred or pam_open_session,
Thus can be used with different applicaitons/systems that call
pam in unusual ways.
* is independent of pam_afs, so the admin could use either.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
