From owner-freebsd-hackers Thu Dec 7 0: 5:16 2000 From owner-freebsd-hackers@FreeBSD.ORG Thu Dec 7 00:05:13 2000 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from isua3.iastate.edu (isua3.iastate.edu [129.186.1.139]) by hub.freebsd.org (Postfix) with ESMTP id 2F86B37B400 for ; Thu, 7 Dec 2000 00:05:13 -0800 (PST) Received: from localhost (ccsanady@localhost) by isua3.iastate.edu (8.8.8/8.8.5) with SMTP id CAA20128; Thu, 7 Dec 2000 02:05:10 -0600 (CST) Message-Id: <200012070805.CAA20128@isua3.iastate.edu> To: "Jacques A. Vidrine" Cc: freebsd-hackers@freebsd.org Subject: Re: PAM issues.. In-reply-to: Your message of Wed, 06 Dec 2000 20:14:38 -0600. <20001206201438.B64751@spawn.nectar.com> Date: Thu, 07 Dec 2000 02:05:10 CST From: Chris Csanady Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >On Thu, Dec 07, 2000 at 12:06:46AM +0000, Chris wrote: >> Hi, I have been writing a PAM module to do Kerberos 5 and AFS stuff, and >> have run across a couple of problems. > >Have you looked at ports/security/pam_krb5, by the way? This does >Kerberos 5, but not AFS. IIRC, this module will authenticate you, but will not get you tickets. I think this was because the tickets are stored using pam_setcred(), hence my question. I haven't looked at it for a while though--its possible the situation has changed. Anyways, what I have written gets Kerb 5 tickets, converts them to v4, and then adds the token after setting up a PAG. Basically, what the mit aklog does, but it actually compiles and works with our kafs library. >> The next is pam_setcred(). I've noticed that this is not actually >> called from login/etc, so it doesn't do much good. Is this >> intentional? Not that it matters much, for anything other than >> compatibility with other modules. > >Patching login et. al. to call pam_setcred is trivial. The only reason I >haven't done so yet is because pam_setcred is all but useless. :-) I'm >enclosing a previous message that I sent to the FreeBSD PAM maintainer >(ok well it went to jdp first and then later to markm) to explain more >fully. None of us have had time to address it yet, and this appears to >be a bug in Linux-PAM (which is the implementation we use). I figured it was something along these lines. :) I realize the pam_setcred is about useless, but it would be nice to have session support. Anyways, thanks for the pointer. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message