ak5log
Douglas E. Engert
deengert at anl.gov
Thu May 1 10:32:34 EDT 2003
"Erland Fristedt (QRA)" wrote:
>
> Hi,
>
> I'am using "KERBEROS and AFS INTEROPERABILITY ROUTINES" written by
> Douglas E. Engert.
>
> To be able to use his ak5log I had to modify the file
> "src/appl/bsd/login.c" as below.
I am not sure why you had to modify the login.c. I did not need to.
But instead, the calling program, like krlogind or PAM will call the
krb5_afs_pag which will get a PAG, and fork/exec ak5log
The setpag is done using syscall directly and does not require
any AFS libraries by the krlogind It also protects against failure of the
syscall, such as if the cache manager is not running or AFS is not
installed on the system. (ak5log does use the AFS libraries.)
The krb5_afs_pag routine comes with the ak5log, and is added to the krb5 lib.
I need to put out a new set of diffs as the last was for 1.2.2, but
but we are have them for 1.2.3, 1.2.6 and I am testing 1.2.8
See ftp://achilles.ctd.anl.gov/pub/kerberos.v5 and pub/DEE
ak5log was designed to work in an environment where the KDC could
not do k4, and the krb524d did not have access to the KDC database
Such as DCE and W2K. It also allows for separate keys to authenticate
to the krb524d, and to encrypt the the AFS token.
>
> Is this a good idea or should it be done in an other way?
There are other ways, use aklog or gssklog.
But this does bring up another point when the user's home directory
is in AFS. In every method I have seen, the AFS token is gotten after
the host has looked at the .k5login, and other dot files in the
home directory. This requires the directory to have AFS permissions
of at least "lookup", with the dot files being symlinks to a directory
with something like "system:anyuser read"
But if the AFS token was gotten earlier (I don't know of any mods that do)
root could use the token to check the dot files, include .k5login,
thus allowing the home directory to not require the "lookup" and the
dot files would not have to be treated special.
>
> BR / Erland
>
> void
> afs_login ()
> {
> #if defined(KRB4_GET_TICKETS) && defined(SETPAG)
> if (login_krb4_get_tickets && pwd->pw_uid) {
> /* Only reset the pag for non-root users. */
> /* This allows root to become anything. */
> pagflag = try_setpag ();
> }
> #endif
> #ifdef KRB_RUN_AKLOG
> if (got_v4_tickets && login_krb_run_aklog) {
> /* KPROGDIR is $(prefix)/bin */
> char aklog_path[MAXPATHLEN];
> struct stat st;
> /* construct the name */
> /* get this from profile later */
> aklog_path[sizeof(aklog_path) - 1] = '\0';
> strncpy (aklog_path, KPROGDIR, sizeof(aklog_path) - 1);
> strncat (aklog_path, "/aklog", sizeof(aklog_path) - 1 - strlen(aklog_path));
> /* only run it if we can find it */
> if (stat (aklog_path, &st) == 0) {
> system(aklog_path);
> }
> }
> #endif /* KRB_RUN_AKLOG */
> /* Inserted by Erland */
> #if defined(KRB_RUN_AK5LOG) && defined(KRB5_GET_TICKETS)
> if (got_v5_tickets || forwarded_v5_tickets)
> {
> char aklog_path[MAXPATHLEN];
> struct stat st;
> /* construct the name */
> /* get this from profile later */
> aklog_path[sizeof(aklog_path) - 1] = '\0';
> strncpy (aklog_path, KPROGDIR, sizeof(aklog_path) - 1);
> strncat (aklog_path, "/ak5log", sizeof(aklog_path) - 1 - strlen(aklog_path));
> /* only run it if we can find it */
> if (stat (aklog_path, &st) == 0) {
> system(aklog_path);
> }
> }
> #endif /* KRB_RUN_AK5LOG */
> }
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list