pam-afs-session

Description

pam-afs-session is a PAM module that isolates each login in a separate AFS PAG (so that they will not trample on each other's AFS tokens) and supports either running an external program to obtain AFS tokens from a Kerberos v5 ticket cache or using Heimdal's libkafs library. It does not obtain tickets itself and must be used in conjunction with a Kerberos v5 PAM module to obtain tokens (setting up PAGs can be done without any Kerberos implementations). It provides only the setcred and session PAM functions.

For the AFS system call layer, pam-afs-session supports linking with the Heimdal libkafs library or the libkopenafs library that will ship with later versions of OpenAFS and provides a similar interface. As a fallback, and to support a low-dependency build on Linux systems, it also comes with a simple AFS system call implementation for Linux only. To use the built-in system call interface, the system must run a new enough version of OpenAFS or Arla to support AFS system calls through ioctl on a file in proc.

Requirements

The module is written in C and currently requires either gcc, the Solaris C compiler, or the HP-UX C compiler to compile. If you know the correct compilation and linker flags for PAM modules with other compilers, please let me know. It supports linking with the libkafs library that comes with Heimdal; if you do not have that library available, a fallback system call implementation is available that will work on Linux or on a system that does AFS calls through syscall. For Linux, to use this fallback, a version of OpenAFS or Arla new enough to use a file in /proc for system calls is required. For other platforms, to use this fallback, the afs/param.h header file from OpenAFS is required to get the system call number.

The PAM implementations on Linux, Solaris, Mac OS X, HP-UX, and AIX are supported, although the module is primarily tested on Linux and only lightly tested (or not tested at all by me personally) on the other platforms. Use on platforms with other PAM implementations, such as IRIX or the *BSDs, will require more porting and will not currently work. Patches are welcome.

The module can optionally be linked with Kerberos libraries to obtain configuration information from krb5.conf and to support the kdestroy option. Either MIT Kerberos or Heimdal should work.

The module can optionally use Heimdal's libkafs library to obtain tokens as well as create the PAG. If you are using Heimdal and obtaining tokens from Kerberos tickets, this is the recommended configuration, since it means that the PAM module doesn't have to fork an external process. For other users, an external aklog program that obtains tokens is necessary (and not provided by this module).

Download

The distribution:

An archive of older releases is also available.

Documentation:

• README
• Manual page
• To-do list
• Change summary
• License and copyright
• Debian package tracker

Debian packages are available from Debian as of lenny as libpam-afs-session. Debian 4.0 (etch) and earlier have libpam-openafs-session, which is unrelated to this module.

pam-afs-session is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/afs/pam-afs-session.git

You can also browse the current development source.

License

The pam-afs-session package as a whole is covered by the following license:

Copyright 2005, 2006, 2007, 2008 Board of Trustees, Leland Stanford Jr. University

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the pam-afs-session source distribution.