Franco "Sensei" wrote:
Douglas E. Engert wrote:
As we start to use vendor provided Kerberos, OpenSSH and PAM modules, AFS integration into the login process becomes more difficult, as some vendors do not provide OpenAFS. We have no problems with installing OpenAFS separately, but would like to not have to replace the vendor's pam_krb5 or sshd modules that combine Kerberos and AFS.
Of course I would go with things as vanilla as possible.
Kerberos and OpenSSH are much more wildly known and accepted by OS vendors and sysadmins then OpenAFS. Almost all vendors now support Kerberos and SSH, but there are a lot of vendors that do not support OpenAFS. And many sysadmins are reluctant to replace the PAM and SSH to support OpenAFS versions. They may be willing to add but not replace.
More or less...
I would like to contribute to OpenAFS two source modules, pam_afs2.c and gafstoken.c. These can be found today in two separate build packages:
ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar
Ok.
pam_afs2.c is a PAM routine that can be called after a pam_krb5 routine has been called. All pam_afs2.c requires is that the pam_krb5 routine has stored the credentials and done pam_putenv of the KRB5CCNAME.
pam_afs2.c will then call the gafstoken routine that will get a PAG using syscalls, then fork/exec your favorite aklog, ak5log, gssklog, or afslog to actually get the token.
Basically, you're doing the same thing as pam_openafs_session.so in debian.
Could be, but its for more then debian. I would like to see OpenAFS provide the PAM routine that would run in any system.
Since pam_afs2.c and gafstoken.c have no AFS or Kerberos code in them directly (other then the syscalls to get a PAG), this helps to simplify the integration and avoids Kerberos lib name clashes and eliminates 32 vs 64 bit version problems and allows for integration at the pam.conf level.
If pam_afs2.so at session level like pam_openafs_session.so? Where is it called?
OpenSSH for example can call PAM session, after it has authenticated via gssapi-with-mic, and received a delegagted credential. It will do a pam_setenv(KRB5CCNAME=...) The pam_afs2 can pass this to the aklog to use to get K5 tickets.
It is also called if user/password was used with Kerberos or Kerberos via pam_krb5. They both save the credentials andset KRB5CCNAME.
Note that OpenSSH-3.9p1 needs the patch from bug #918. This was fixed 4.0, but I have not tried 4.x yet.
I have been using these routines on Solaris 9 for almost 6 months and AFS and Kerberos V5 work will with dtlogin, xscreesaver, xlock and friends. Unlocking the screen will keep the same PAG, but get a new Kerberos ticket and AFS token.
That's good.
We have been using the MIT Kerberos on Solaris, but expect to have a simple conversion to Solaris 10 using the Solaris Kerberos.
I have also done some testing on RedHat using their pam_krb5.o, rather then the pam_krb5afs.o.
I find better pam_krb5afs.so, but I didn't realize how to get pag before enabling the shell (suse linux).
I have not tried this on Suse, but would expect it to work. I wold not expect to see a pam_krb5afs.so on Solaris or HP.
pam_afs2 also work well with OpenSSH pam session support, to get the PAG and token, with no OpenSSH mods required.
It doesn't work for a SSO though. Am I right?
pam_afs2 in not doing authentication, it is there to get a PAG and token using the credentials saved by a previous pam or by the application like OpenSSH.
You can use Krb5 for the SSO, and pam_afs2 gets the token for access to you home directory.
The two tar files listed above will configure to build the pam routine and the gafstoken lib. They each have a README file which goes into more detail. A pam.conf file for Solaris is also included in the tar file.
I'll give it a chanche, but, did you try something for AIX?
We used to have AIX, and these is some PAG code in the gafstoken for AIX that may still work. Let me know if it needs some changes or not.
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
