pam-afs-session 2.0

pam-afs-session is a PAM module that creates a PAG and obtains tokens for a user at login, working with a Kerberos PAM module (such as pam-krb5) that obtains Kerberos tickets.

The main reason for the new major version is that this release finally hopefully addresses a long-standing problem with pam-afs-session on Linux: the PAM module creates a PAG and obtains tokens, pam_keyinit runs and deletes both, and then the module doesn't run again because it's already run. A lot of users have had to just remove pam_keyinit in order to make pam-afs-session work properly.

This release takes advantage of the new VIOC_GETPAG and k_haspag interface and checks, when run, whether the user is in a PAG. If they're not, because it's been destroyed by pam_keyinit for example, it creates a new PAG and obtains tokens again even if it had already run. This means that as long as pam-afs-session is after pam_keyinit in the session stack, it should work properly.

I also switched pam-afs-session over to Automake and Libtool in this release rather than hand-rolling compilation rules. This, among other things, lets me suppress all non-public symbols on all platforms, not just on Linux. I had very positive experiences with doing this on pam-krb5 (not a single user complained or had trouble building the module), so hopefully the same will hold with pam-afs-session.

This release also adds untested support for the new AFS system call methods on Mac OS X and Solaris 11 (which use an ioctl in /dev instead of a system call) and updates the configure options used to configure kafs support.

Other bug fixes in this release include avoiding returning an uninitialized value from pam_open_session when notokens is set, removing module data on pam_close_session so that opening multiple sessions with the same PAM handle should work, fixing a configure error when built with --without-krb5, and properly reporting ignore status when debugging is enabled.

Finally, and this should make a big difference for maintainability going forward, this release includes a test suite and uses the new PAM utility layer and fake PAM testing library from rra-c-util 3.0.

You can get the latest version from the pam-afs-session distribution page.

Posted: 2010-12-29 17:37 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04