On Thu, 12 Apr 2007, Joe Buehler wrote:
Alexander Al wrote:
Is there someone who could tell me how I should configure PAM
with krb5 with a Windows kdc and openafs client 1.4.x ?
My own related question -- What is the "best" way to get AFS tokens
during login when using krb5? There seems to be more than one way
to do it, as far as PAM goes, and it is not clear to me what is
currently best practice.
The best way I am aware of is to get your Kerberos 5 credentials using a
'normal' pam_krb5, running in the auth section of the stack. Then, use a
PAM AFS session module to use these to get AFS credentials at session
establishment (in the 'session' part of the PAM stack). There are two such
modules of which I am currently aware:
* Doug Engert's pam_afs2
(ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar and
ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar)
* Russ Allbery's pam_openafs_session
(http://www.eyrie.org/~eagle/software/pam-afs-session/)
We're currently using pam_afs2 here - I think it's likely we'll
investigate moving to pam_openafs_session for our next major release.
The place you'll generally run into pain is with OpenSSH - due to its
unique method of calling the PAM stack. Doing everything in a session
module dramatically reduces this pain.
Cheers,
Simon.
_______________________________________________
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
