As we start to use vendor provided Kerberos, OpenSSH and PAM modules, AFS integration into the login process becomes more difficult, as some vendors do not provide OpenAFS. We have no problems with installing OpenAFS separately, but would like to not have to replace the vendor's pam_krb5 or sshd modules that combine Kerberos and AFS.
Of course I would go with things as vanilla as possible.
Kerberos and OpenSSH are much more wildly known and accepted by OS vendors and sysadmins then OpenAFS. Almost all vendors now support Kerberos and SSH, but there are a lot of vendors that do not support OpenAFS. And many sysadmins are reluctant to replace the PAM and SSH to support OpenAFS versions. They may be willing to add but not replace.
More or less...
I would like to contribute to OpenAFS two source modules, pam_afs2.c and gafstoken.c. These can be found today in two separate build packages:
ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar
Ok.
pam_afs2.c is a PAM routine that can be called after a pam_krb5 routine has been called. All pam_afs2.c requires is that the pam_krb5 routine has stored the credentials and done pam_putenv of the KRB5CCNAME.
pam_afs2.c will then call the gafstoken routine that will get a PAG using syscalls, then fork/exec your favorite aklog, ak5log, gssklog, or afslog to actually get the token.
Basically, you're doing the same thing as pam_openafs_session.so in debian.
Since pam_afs2.c and gafstoken.c have no AFS or Kerberos code in them directly (other then the syscalls to get a PAG), this helps to simplify the integration and avoids Kerberos lib name clashes and eliminates 32 vs 64 bit version problems and allows for integration at the pam.conf level.
If pam_afs2.so at session level like pam_openafs_session.so? Where is it called?
I have been using these routines on Solaris 9 for almost 6 months and AFS and Kerberos V5 work will with dtlogin, xscreesaver, xlock and friends. Unlocking the screen will keep the same PAG, but get a new Kerberos ticket and AFS token.
That's good.
We have been using the MIT Kerberos on Solaris, but expect to have a simple conversion to Solaris 10 using the Solaris Kerberos.
I have also done some testing on RedHat using their pam_krb5.o, rather then the pam_krb5afs.o.
I find better pam_krb5afs.so, but I didn't realize how to get pag before enabling the shell (suse linux).
pam_afs2 also work well with OpenSSH pam session support, to get the PAG and token, with no OpenSSH mods required.
It doesn't work for a SSO though. Am I right?
The two tar files listed above will configure to build the pam routine and the gafstoken lib. They each have a README file which goes into more detail. A pam.conf file for Solaris is also included in the tar file.
I'll give it a chanche, but, did you try something for AIX?
-- Sensei <mailto:[EMAIL PROTECTED]> <pgp:8998A2DB> <icqnum:241572242> <yahoo!:sensei_sen> <msn-id:[EMAIL PROTECTED]>
signature.asc
Description: OpenPGP digital signature
