Derrick J Brashear wrote:
On Thu, 14 Apr 2005, Douglas E. Engert wrote:
pam_afs2 in not doing authentication, it is there to get a PAG and token
using the credentials saved by a previous pam or by the application like
OpenSSH.
I wrote that in like 1997, it was called pam_afs, used the kerberos tickets gotten by pam_krb4, and linked libraries instead of forking;-)
Well do you have a newer version of this for krb5?
No, it hasn't been touched since 1997;-) After working with PAM for a while I came to the conclusion that I hated working with PAM because of inconsistent application support (does the setcred hook work correctly? when are open/close session called? is the environment variable exporting correct? what is done before uid change and what is done after?) and sparse pam.conf keywords. (require pam_krb4 and then optional pam_afs, and then sufficient pam_unix was almost what I wanted)
I don't like pam either for the same reasons.
But as more and more packages are starting to support PAM, it looks like the lessor of many evils, as it gets one out of modifying package source code and into modifying pam.conf files instead.
As you point out, does the setcred work, when are open/close session called, is the environment or the pam_setenv set?
I have tried to make pam_afs2 flexible enough to handle these situation. It can be forced to do its thing from the pam_sm_authenticate, pam_sm_setcred, or pam_sm_open_session.
On a system like HP-UX where it does not have a pam_setenv, the pam_afs2 can take a ccache= parameter, so at a minimum, it could use ccache=FILE:/tmp/krb5cc_%u which would be the default cache used by Kerberos. A %p for process id can also be used in the name.
If and when the vendor's improve their PAM, then this can be improved.
For example on Solaris with dtlogin, the pam_afs2 is used from the pm_open_session:
dtlogin auth sufficient /krb5/lib/pam_krb5.so.1 use_first_pass \
forwardable force_creds
dtlogin session required /krb5/lib/pam_afs2.so.1Where as when the screen is unlocked it is called from pam_sm_authenticate:
dtsession auth optional /krb5/lib/pam_krb5.so.1 use_first_pass \
forwardable force_creds refresh_creds
dtsession auth optional /krb5/lib/pam_afs2.so.1 force_afs nopagAnd with OpenSSH-3.9 (with a patch that is in 4.x) pam_afs2 is called to use the Kerberos cache created by pam_krb5, gssapi delegation or the compiled in kerberos support.
sshd session required /krb5/lib/pam_afs2.so.1
pam_afs2.c is still a work in progress, and I have tried to make it flexible. It needs more testing on different systems with different combinations of vendor provided pam_krb5 routines.
I am using a modified version of Frank Cusack's pam_krb5, but have started to look at the sourceforge pam_krb5 that is the basis for the RedHat pam_krb5. I want to get to using the Solaris 10 pam_krb5 and the HP-UX 11.23 pam_krb5 before I retire!
And probably you don't want it either.
_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
