Juha Jäykkä wrote:
sshd won't leak this token to the user if your PAM setup is appropriate.
You have to make sure that the user is put into their own PAG as part of
the session initialization process, even if they don't get a token.
I would have thought pam_krb5.so [1] does this by itself, but apparently I
am mistaken (again).
Not really. pam_krb5 is for Kerberos. PAGs are for AFS. Kerberos is much
more widely used then AFS so many pam_krb5 routines don't know anything
about AFS, or PAGs. But some do, so look for a pam_krb5afs.so
While it would be relatively easy to write a small
pam module to handle the creation of a suitable PAG, I must wonder whether
one exists already?
Yes, pam_afs2 can be called after a pam_krb5 to get a PAG, and fork/exec
a aklog, ak5log, afslogin or gssklog to get the tokens.
See ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
Anything that depends on aklog from openafs-krb5 will
not do since it just segfaults (probably the AES keys again, but I did not
test this point).
By the way, is Heimdal's kinit/afslog at fault here for not creating the
proper PAG? It's very convenient to have kinit do all the tricks, but if
it does them wrong...
Ah! Thank you for saying! I never would have guessed that, and now
I'll know for the future.
You're welcome.
Cheers,
Juha
[1] The version from :pserver:[EMAIL PROTECTED]:/usr/local/CVS -
it looks like it's the old RedHat pam_krb5.so emerged with the sf.net
version and with still active development unlike any other pam_krb5.so I
can find.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
