Christopher D. Clausen wrote:
We can compile (at least I hope) aklog from sources, but the problem is
that I don't see where to attach aklog, which has to be run before a
session is opened.
Just for the sake of testing it, does http://afs.caspur.it/afs/italia/project/ssh/ work for you, getting tokens at login?
I just downloaded and compiled gssklog on AIX: ftp://achilles.ctd.anl.gov/pub/DEE/
Of course, this requires gssklogd running on your AFS servers, but this
was an acceptable alternative for us since we also use gssklog from our
Windows 2003 machines.
Mmmh... another daemon, another port open. We can give it a try anyway.
How can you use it on aix? I mean, how do you start gssklog in your
config files?
Right now I just type in gssklog as the first thing I run after logging on. For instance:
Using username "cclausen".
[EMAIL PROTECTED]:~]% gssklog
[EMAIL PROTECTED]:~]%
I have my home directory setup to let all my login scripts run fine even if I don't have AFS tokens at login: /afs/acm.uiuc.edu/user/cclausen is system:anyuser l and ~/Public is system:anyuser rl. I have symlinks from ~/ to ~/Public for various files to not depend on tokens for my scripts to run. Depending on the shells you use, you might be able to fake tokens by running gssklog or aklog directly from /etc/profile or whatever global config your shells use or from each user's dotfiles.
I can't use LDAP to retrieve user information. And... it's quite bad not
having any token at login! :) Do you use ssh or a direct login?
This is one of the reasons why we still use NIS. Haven't gotten LDAP to work everywhere yet.
I ssh in right now. I have a version of openssh 3.8 that I compiled against MIT Kerberos myself. The version that IBM distributes from their website has Kerberos support, but I wanted to support MIT Kerberos 1.3 so that I could get RC4-HMAC enc_type support, as I'm pretty sure the IBM Kerberos doesn't support it yet.
There was a recent post about afs_dynamic_kerbauth working in 1.3.80 but
I still run 1.2.13 on my AIX machines. Can someone confirm that it does
indeed work against a Kereberos 5 KDC? afs_dynamic_kerbauth does NOT
appear to work against a Kerberos 5 KDC in the 1.2.13 version, although
I will re-test if someone believes it does.
I'd be happy staying with the stable branch... If I'm right afs_dynamic_kerbauth works with kerberos 4, not 5... is it so?
That is what I think as well. Kerberos 4 only, which is hopefully something everyone is moving away from. Although the IBM docs mention DCE, which doesn't work with Kerberos 4, so its possible that there is Krb5 support, we just don't know how to use it correctly.
The other option is to write your own AIX Auth Module and use it. I am considering doing this myself, but it really isn't worth the trouble for the few machines that we have that run AIX. And newer AIX versions have PAM support, so this is even less useful.
If someone has contacts at IBM, it might be possible to obtain an exmaple or the source to IBM;s KRB5 or KRB5A LAM and then modify it to also obtain AFS tokens in addition to Kerberos tickets. I have no idea how willing IBM would be to work with someone on doing just that.
Have you tried using pam_afs2 on AIX? Doug emailed this list a few weeks ago about it: ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
I have an AIX 5.1 system with no PAM support, so it won't work for me, but you might be able to get it to work. You may be able to use LAM on AIX 5.2 to have SSH obtain AFS tokens using one of the afs PAMs available on the net.
I believe I posted this to the AIX newsgroup, but http://www.feep.net/PAM/AIX/ might be of use to others who haven't seen that post.
I don't have a dev environment setup on a AIX 5.2 machine right now, but when I get around to it I'll attempt to get PAM and LAM working such that tokens can be obtained at login.
<<CDC
_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
