Re: [OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

Fri, 03 Nov 2006 08:56:06 -0800 


Russ Allbery wrote:


Douglas E Engert <[EMAIL PROTECTED]> writes:



If it was integrated into the source, I would expect to use the
lsetpag, and glue source and header files to be able to get a PAG.



You can't use lsetpag in a PAM module right now.  There is no shared
library that provides it.


I did not say shared lib, I said source. Could use the .o files instead
I would suspect.


 I think the consensus was that this wasn't the
PAG interface we really wanted to put more work into; the kafs interface
is better.



I am not talking a lot of work. It looks like it is all but done.
pam calls lsetpag() and links with sys/sepag.o and sys/glue.o




I would rather avoid the kafs interface and use the external aklog if at
all possible. It avoids bringing in any additional AFS libs and their
dependencies into an application that calls PAM thus avoiding clashes
and keeping it simple.



I believe the kafs interface is the correct long-term approach for most
sites, and therefore want to work on a PAM module that uses it, but it
will be an optional compile-time configuration on Linux at least since I
need something that works on Linux with OpenAFS right now and libkopenafs
is an OpenAFS 1.6 thing.  Once libkopenafs shows up, you'll have what you
want for the time being since libkopenafs will be a stand-alone shared
library that only exposes the k_hasafs, k_setpag, k_pioctl, and k_unlog
interfaces; the PAM module built against libkopenafs (or on Linux without
any supporting libraries) will not have any Kerberos dependencies and will
always use an external aklog.

Eventually, I would like to see aklog become a library that provides the
rest of the kafs interface, but when we do that, we can try to ensure that
people who want to avoid Kerberos dependencies can continue to do so.
Maybe rather than integrating those functions into libkopenafs, we'll add
a new library or something.  That bridge is a bit off into the future,
though, so we can worry about crossing it later.



OK, I won't do much now, but will be waiting.


--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
























					Reply via email to