OPenAFS and OpenSSH replacing kafs
Douglas E. Engert
deengert at anl.gov
Sun Feb 29 02:02:01 EST 2004
Markus Friedl wrote:
>
> On Fri, Feb 27, 2004 at 05:23:38PM -0600, Douglas E. Engert wrote:
> > Would OpenSSH be willing to add such a mod?
>
> i don't see why sshd should play a dynamic linking game.
>
> either the library has the symbol at compiletime
> or not.
If a vendor, like Red Hat, Apple, Sun, HP, IBM or OpenBSD builds
OpenSSH for distribution, they can do it without having OpenAFS
available at compile time.
Yet when the end user uses OpenSSH on a system with OpenAFS
they will work together because the hook in OpenSSH will already be
in place by default.
The use of the dynamic library gets the setpag code to run from
the correct process. It might also be useable with PAGs for NFSv4.
Two other approaches are:
(1) Make the get_afs_token routine part of OpenSSH and compiled in.
But this then has some dependencies on how the setpag is done
and vendors may not compile in this option, especially if any
OpenAFS libs are required at compile time.
(2) PAM could be called when GSSAPI is used for authentication.
A PAM session routine could do the setpag, as long as the PAM
routine is run from the correct process.
This opens up some other possibilities of moving some or all
of the Heimdal vs MIT kerberos dependencies to PAM routines
as well.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list