OPenAFS and OpenSSH replacing kafs

Sergio Gelato Sergio.Gelato at astro.su.se
Sun Feb 29 09:40:05 EST 2004 

* Douglas E. Engert [2004-02-28 09:02:01 -0600]:
> Markus Friedl wrote:
> > 
> > On Fri, Feb 27, 2004 at 05:23:38PM -0600, Douglas E. Engert wrote:
> > >  Would OpenSSH be willing to add such a mod?
> > 
> > i don't see why sshd should play a dynamic linking game.

Isn't PAM also a dynamic linking game? One level removed, but equally
pluggable.

> If a vendor, like Red Hat, Apple, Sun, HP, IBM or OpenBSD builds
> OpenSSH for distribution, they can do it without having OpenAFS 
> available at compile time. 

I think that's a strong argument for some form of dynamic linking
(at least on platforms where this is needed and available).

One reason not to do it through PAM might be that some of the platforms
of interest don't support PAM. One example is Tru64 UNIX: while this
platform does have PAM-like SIA, it's considerably less flexible.

An alternative is for the plug-in to be loaded by the Kerberos library.
This seems to be a straightforward approach on Mac OS X, for example.
(Not confirmed yet; OpenSSH 3.8p1 apparently needs some patching before
it will build on OS X. Am looking into it with the help of Steven
Michaud's earlier work.)

> Yet when the end user uses OpenSSH on a system with OpenAFS
... or Arla ...
> they will work together because the hook in OpenSSH will already be 
> in place by default.    

> The use of the dynamic library gets the setpag code  to run from 
> the correct process. It might also be useable with PAGs for NFSv4. 

One would hope that NFSv4, being GSS-based, would be able to leverage
the credentials cache without any explicit PAG support in OpenSSH.
But we'll see; this stuff is rather hairy.

>   (1) Make the get_afs_token routine part of OpenSSH and compiled in. 
>       But this then has some dependencies on how the setpag is done 
>       and vendors may not compile in this option, especially if any 
>       OpenAFS libs are required at compile time.  

Maybe one should provide compatibility code that only implements
k_hasafs() and setpag() for the platforms supported by OpenSSH portable?
The rest can be done by forking a child process.

>   (2) PAM could be called when GSSAPI is used for authentication. 
>       A PAM session routine could do the setpag, as long as the PAM
>       routine is run from the correct process. 
> 
>       This opens up some other possibilities of moving some or all 
>       of the Heimdal vs MIT kerberos dependencies to PAM routines
>       as well.   

It's problematic on PAMless platforms.

More information about the openssh-unix-dev mailing list