[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal, OpenAFS and Linux PAM



> 
> First, there seems to be no good PAM module to authenticate against
> Heimdal, set the AFS PAG and get the AFS token. What would you suggest? We
> have had the best results with RedHat's pam_krb5.so, but it does not seem
> to set the PAG at all.

The pam module is only used for console and xdm login isn't it? So
the console login ends up in the default uid pag. Then we have an
"afslog" in the login scripts so that we can get away with a pam
module that only knows about kerberos.

> That's not nice: it forces us to open our AFS home
> directories for world list access since we cannot let sshd (and others)
> have an AFS ticket.

All sites I know have list (but not neccessarily read) on $HOME.
Then $HOME/Public is "rl" and $HOME/.bashrc -> $HOME/Public/.bashrc.

Sorry if this is not the answer you wanted to hear ;-)

Remote logins (telnetd, rshd, ...) per default create a new pag for
each connection.

> Second, kinit does not seem to set PAG either: doing kinit in an xterm
> changes the tokens of another shell in another xterm with a different
> KRB5CCNAME. Is this intentional or have I misconfigured something? 

I think this is "as designed". To get a new pag in a xterm you need a
new shell in a new pag. "pagsh" gives you a new pag and sets a
new KRB5CCNAME.

> I have
> not noticed any krb5.conf option which would enforce a call to k_setpag()
> or make kinit do pagsh first.

I don't think this has been implemented, do you want something like

#!/bin/sh
pagsh sh -c "kinit $* && $SHELL"

Harald.