% pam-afs-slides.tex -- Slides for AFS and PAM talk.
% $Id: pam-afs-slides.tex 2951 2007-05-02 00:18:30Z eagle $
%
% Written by Russ Allbery <rra@stanford.edu>

\documentclass[landscape,semhelv]{seminar}
\usepackage{url}
\usepackage{hyperref}

\newpagestyle{mypagestyle}%
  {Stanford University \hfil \thedate \hfil \thepage}%
  {\hfil Russ Allbery (rra@stanford.edu) \hfil}
\pagestyle{mypagestyle}

\begin{document}

\begin{slide}
  \begin{center}
    {\large AFS and PAM}

    \vspace{1in}
    
    Russ Allbery \\
    May 1, 2007
  \end{center}
\end{slide}

\begin{slide}
  \section*{Contents}

  \begin{itemize}
  \item What is PAM?
  \item The PAM Groups
  \item PAM for Login
  \item PAM for Screen Savers
  \item AFS PAM Modules
  \item Problems with pam\_afs
  \item Working with pam\_krb5
  \item SSH Challenges
  \item Linux PAM Examples
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{What is PAM?}

  \begin{itemize}
  \item Pluggable Authentication Modules
  \item Abstracts the user authentication and session setup process
  \item Only does authentication and simple authorization
  \item Developed originally on Solaris
  \item Enhanced but mostly compatible version on Linux
  \item Now used by many UNIXes, but implementation varies
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{The PAM Groups}

  \begin{itemize}
  \item PAM divides the login process into groups
    \begin{itemize}
    \item auth: Prompts for and verifies password
    \item account: Simple authorization decisions (only for login)
    \item session: Prepares for an interactive session
    \item password: Handles authentication token changes
    \end{itemize}
  \item setcred, the odd step-child
  \item setcred vs. open\_session: who knows?  who cares?
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{PAM for Login}

  \begin{itemize}
  \item auth group prompts for password, does basic authentication
    \begin{itemize}
    \item Store the credentials in a separate temporary cache
    \item Don't chown credential cache until setcred
    \end{itemize}
  \item account group does basic authorization
  \item setcred stores credentials and adds supplemental groups
  \item session group creates a login session
  \item When the user logs out, session group closes the login session
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{PAM for Screen Savers}

  \begin{itemize}
  \item auth group prompts for password, does basic authentication
  \item account group could do authorization, but frequently ignored
  \item setcred to refresh credentials (REINITIALIZE/REFRESH)
  \item session group not called
  \item Bad screen savers don't call setcred and thereby lose
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{AFS PAM Modules}

  \begin{itemize}
  \item Authentication and AFS modules
    \begin{itemize}
    \item pam\_afs and pam\_afs.krb (OpenAFS)
    \item Heimdal pam\_krb4 (requires Heimdal)
    \item pam\_krb5afs from Sourceforge (requires Heimdal)
    \end{itemize}
  \item AFS session modules
    \begin{itemize}
    \item pam\_afs2 from Douglas Engert
    \item Sam's pam\_openafs\_session
    \item My pam\_afs\_session
    \end{itemize}
  \item Using Heimdal vs. forking an external aklog
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{Problems with pam\_afs}

  \begin{itemize}
  \item Kerberos v4 and kaserver only
  \item Does all of its work in the auth group
    \begin{itemize}
    \item Doesn't work with SSH privilege separation
    \item Doesn't support token renewal from screen savers
    \end{itemize}
  \item Forks by default to avoid thread leaks
  \item Pulling AFS libraries into applications is very ugly
  \item Requires hacks to build shared on non-x86 Linux
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{Working with pam\_krb5}

  \begin{itemize}
  \item Merging the Kerberos auth module and AFS tokens is problematic
    \begin{itemize}
    \item Vendor Kerberos v5 modules are common, often don't do AFS
    \item AFS is conceptually separate
    \item Easier to debug separate modules
    \end{itemize}
  \item pam\_krb5 responsible for getting tickets, AFS module for getting
    tokens afterwards
  \item AFS runs as a session module
  \item Ideally also want a setcred hook
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{SSH Challenges}

  \begin{itemize}
  \item auth group run in a separate subprocess
  \item PAM data not passed out of authentication hook
  \item ChallengeResponseAuthentication required for prompting
  \item Threading issues
  \item Broken session/setcred behavior in older versions
  \end{itemize}
\end{slide}

\begin{slide}
  \section*{Linux PAM Examples}

\footnotesize
\begin{verbatim}
auth    [success=ok default=1]  pam_krb5.so
auth    [default=done]          pam_afs_session.so
auth    required                pam_unix.so try_first_pass
session optional                pam_krb5.so
session required                pam_afs_session.so
\end{verbatim}

\begin{verbatim}
auth    sufficient                pam_unix.so
auth    [success=ok default=die]  pam_krb5.so use_first_pass
auth    [default=done]            pam_afs_session.so
session optional                  pam_krb5.so
session optional                  pam_afs_session.so
\end{verbatim}
\end{slide}

\end{document}