pam-afs-session

Warning

This package is orphaned. Although I believe it is still useful, I no longer use AFS and am no longer maintaining this PAM module. If you would like to pick up maintenance of this package, please feel free. Contact me if you would like this page to redirect to its new home.

Description

pam-afs-session is a PAM module that isolates each login in a separate AFS PAG (so that they will not trample on each other's AFS tokens) and supports either running an external program to obtain AFS tokens from a Kerberos ticket cache or using Heimdal's libkafs library. It does not obtain tickets itself and must be used in conjunction with a Kerberos PAM module to obtain tokens (setting up PAGs can be done without any Kerberos implementations). It provides only the setcred and session PAM functions.

For the AFS system call layer, pam-afs-session supports linking with the Heimdal libkafs library or the libkopenafs library that will ship with later versions of OpenAFS and provides a similar interface. As a fallback, and to support a low-dependency build on Linux systems, it also comes with a simple AFS system call implementation for Linux, Mac OS X, Solaris, or platforms that use syscall to call AFS functions. It can also link with the older OpenAFS libraries when libkopenafs isn't available.

Requirements

The PAM implementations on Linux, Solaris, Mac OS X, HP-UX, and AIX are supported, although the module is primarily tested on Linux and only lightly tested (and not at all by me personally) on the other platforms. Use on platforms with other PAM implementations, such as IRIX or the *BSDs, will require more porting and will not currently work. Patches are welcome.

The module is written in C and should hopefully build on any system with an adequate PAM library that Libtool supports.

Either Heimdal's libkafs or OpenAFS's libkopenafs are the preferred ways of making AFS system calls. If neither are present during compile time, pam-afs-session will attempt to fall back on a built-in AFS system call layer. To use the built-in AFS system call interface on Linux, Mac OS X, and Solaris 11, the system must run a new enough version of OpenAFS or Arla to support AFS system calls through ioctl on a file in /proc or /dev. On other systems with a simple system call interface, configure must be able to find the AFS header afs/param.h in order to get the system call numbers for that platform. On AIX and IRIX, configure will attempt to locate the necessary OpenAFS libraries for lsetpag (either libafsauthent or libsys) but will not support deleting tokens at the end of a session.

The module can optionally use Heimdal's libkafs library to obtain tokens as well as create the PAG. If you are using Heimdal and obtaining tokens from Kerberos tickets, this is the recommended configuration, since it means that the PAM module doesn't have to fork an external process. For other users, an external aklog program that obtains tokens is necessary (and not provided by this module).

To obtain configuration information from krb5.conf and to support the kdestroy option, either MIT Kerberos or Heimdal are required.

Testing the module requires a system with AFS installed and working so that the PAG creation and manipulation can be tested. Running the complete test suite also requires that you have an existing ticket cache and working aklog program. Those portions of the test suite will be skipped if AFS or a Kerberos ticket cache do not appear to be available.

To run the POD test suite, you must have the Perl 5.006 or later and the modules Test::More and Test::Pod installed. Test::More comes with Perl 5.8 or later. Test::Pod is available from CPAN and currently must be installed separately, but the POD tests will be skipped without interfering with the rest of the tests if it's not installed.

To check spelling in the POD documentation, Pod::Spell (available from CPAN) and either aspell or ispell with the american dictionary are also required. The user's path is searched for aspell or ispell and aspell is preferred. Spelling tests are disabled by default since spelling dictionaries differ too much between systems. To enable those tests, set RRA_MAINTAINER_TESTS to a true value.

To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later. Perl is also required to generate the manual pages from a fresh Git checkout.

Download

The distribution:

pam-afs-session 2.6 2015-09-19 Download PGP signature

An archive of older releases is also available.

A Debian package (as libpam-afs-session) is included in Debian 5.0 (lenny) and later releases. Debian 4.0 (etch) and earlier have libpam-openafs-session, which is unrelated to this module.

pam-afs-session is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/afs/pam-afs-session.git

You can also browse the current development source.

Documentation

User documentation:

Developer documentation:

License

The pam-afs-session package as a whole is covered by the following license:

Copyright 2015 Russ Allbery
Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011 The Board of Trustees of the Leland Stanford Junior University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the pam-afs-session source distribution.

Last modified and spun 2015-09-19