Juha Jäykkä wrote:
I would like to see the OpenAFS people pick this up and distribute the
pam_afs2 or its equivalent with OpenAFS, as it is only used by AFS. The
discussions on the list lately are headed this way.
I support that idea. It is the only pam module which does things the Right
Way(tm). I did some testing with OpenSSH 4.2, PAM and OpenAFS today (the
whole day, actually) and here is what I found out:
RedHat's pam_krb5.so
Will leak tokens (not create a PAG) when authenticating with pubkey
Gets tokens when given kerberos password
Does not get tokens when given the password pam_unix.so uses
Gets tokens when authenticating with gssapi
All this works no matter how sshd is configured
Debian's pam_krb5.so (where does this originate from?)
Will leak tokens (not create a PAG) when authenticating with pubkey
Does not get tokens when given the password pam_unix.so uses
Gets tokens when authenticating with gssapi
All this works no matter how sshd is configured
Debian's pam_krb5.so also gets the tokens when authenticating using
kerberos password IF AND ONLY IF the following sshd config variables have
the following values:
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePrivilegeSeparation no
BOTH these modules need Douglas's pam_afs2.so to make sure someone creates
the PAG. Otherwise things get messy, like noted in earlier posts by
various people.
Does pam_afs2.so *always* create the PAG?
Yes, unless you passed in the nopag option. Usefull for xlock or xscreensaver
to reuse the curent PAG. Tell the pam_krb5 to reuse the ticket cache at the
same time.
I am a little worried it does
not, there are various ways in the code to "goto err" which bypasses the
call to libgafstoken, which sets the pag. Would it be possible to add a
check: if pam_afs2.so detects (available) AFS tokens, it would create the
new PAG no matter what?
Not really. pam_afs2 does not detect if there is a PAG already, or if
there are any tokens. Its does not have any AFS code in it, only the syscall
fork and exec.
(No one should call pam_afs2.so twice anyway, so
there should be no fear of creating a new PAG over one we created
previously.)
Also, with RedHat's pam_krb5.so one can change the ticket lifetimes to
something different than the realm default. With Debian's this is not
possible (at least there is nothing about it in the docs).
I used to be on the Globus project, but not any more. The gatekeeker
was setup to be able to fork/exec the gssklog. There is a gatekeeper
patch in with it too. You could run the gssklog for the GLobus uses
while still using Keerberos for your normal users.
This sounds very nice. I'll look into this after this AFS thing is
finished.
Cheers,
Juha
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
