Juha Jäykkä <[EMAIL PROTECTED]> writes: > I would have thought pam_krb5.so [1] does this by itself, but apparently > I am mistaken (again).
It's only a PAM module for Kerberos. It doesn't know anything about AFS. > While it would be relatively easy to write a small pam module to handle > the creation of a suitable PAG, I must wonder whether one exists > already? libpam-openafs-session in Debian. There are others floating around as well. > Anything that depends on aklog from openafs-krb5 will not do since it > just segfaults (probably the AES keys again, but I did not test this > point). Ah. Well, either you're going to have to create a DES key for AFS or you're going to have to run the kaserver and use Kerberos v4 for AFS. AFS doesn't do AES, at all. If you do have a DES key for AFS, I don't see why that aklog wouldn't work, but it's also fairly old. Soon we'll have the OpenAFS aklog packaged for Debian. > By the way, is Heimdal's kinit/afslog at fault here for not creating the > proper PAG? Generally a process has to put itself in a PAG. There's an ugly hack for putting your parent process in a PAG (and for right now libpam-openafs-session even relies on it), but it's not the default. You don't really want to do that without being in control of it; otherwise, running kinit would, for instance, sever your PAG from the PAG of any background processes spawned in the same shell. That's not what people normally expect to have happen. > [1] The version from :pserver:[EMAIL PROTECTED]:/usr/local/CVS > - it looks like it's the old RedHat pam_krb5.so emerged with the sf.net > version and with still active development unlike any other pam_krb5.so I > can find. The Red Hat Kerberos PAM module scares me. The PAM module in Debian is under active development with a different upstream and handles some things better (and will handle quite a few more things better when I find time to get the next version uploaded). -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
