Derrick J Brashear wrote: > > On Sun, 29 Feb 2004, Douglas E. Engert wrote: > > > Not really. I was trying to convince the OpenSSH people to in effect > > add a hook to the code, so the sshd could be run on a system with > > or without OpenAFS, by using a dynamically loaded lib. If it was > > not present, the sshd would continue. > > > > So far the OpenSSH people have not been convinced. > > > > If it was a shared lib, I believe it would mean sshd would fail > > if the lib was not present. > > why, you can dlopen a shlib and dlsym the symbols you want
The OpenSSH people don't want to add the dlopen, dlsym to OpenSSH. so it it a mute point See thier response. > > Markus Friedl wrote: > > > > On Fri, Feb 27, 2004 at 05:23:38PM -0600, Douglas E. Engert wrote: > > > Would OpenSSH be willing to add such a mod? > > > > i don't see why sshd should play a dynamic linking game. > > > > either the library has the symbol at compiletime > > or not. > > If a vendor, like Red Hat, Apple, Sun, HP, IBM or OpenBSD builds > OpenSSH for distribution, they can do it without having OpenAFS > available at compile time. > > Yet when the end user uses OpenSSH on a system with OpenAFS > they will work together because the hook in OpenSSH will already be > in place by default. > > The use of the dynamic library gets the setpag code to run from > the correct process. It might also be useable with PAGs for NFSv4. > > Two other approaches are: > > (1) Make the get_afs_token routine part of OpenSSH and compiled in. > But this then has some dependencies on how the setpag is done > and vendors may not compile in this option, especially if any > OpenAFS libs are required at compile time. > > (2) PAM could be called when GSSAPI is used for authentication. > A PAM session routine could do the setpag, as long as the PAM > routine is run from the correct process. > > This opens up some other possibilities of moving some or all > of the Heimdal vs MIT kerberos dependencies to PAM routines > as well. > > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > [EMAIL PROTECTED] > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > Does libafsrpc.so/libafsauthent.so not have what you need? > > > > I don't think so. I was looking for two functions for the > > hook. Set the PAG, from the process loading and calling the hook, > > and get a token. The token could be obtained using something like > > aklog, or afslog, or even gssklog. (Note that the gssklog could > > use any GSSAPI, including non Kerberos based gssapi, like the > > Globus GSI.) > > well, so, you want libkafs/libkrbafs, and strictly speaking them don't > need to come from openafs. > > ken hornstein is supposed to be integrating aklog into the openafs source > base, so after he does maybe we can also include libk{,rb}afs. That might help. But it does not help with the gssapi delegated credentials, as the kafs is expecting s->authctxt->krb5_ctx to be the Kerberos context. Its not in the gssapi case. But both the GSSAPI delegated creds or the credentials obtained via user/password have been written to the cache, and the ENV KRB5CCNAME has been set. Thats what running aklog or afslog works. -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
