NCSA Home
Contact Us | Intranet | Search

ncsa

NCSA Krb5 PAM Modifications

This page has information on modifications we have done to a couple of the publicly available Kerberos 5 PAM modules. There are links to the patches for these as well. Some of this information may be a bit outdated and many OS's or kerberos distributions now come with a PAM module supplied.

Solaris Krb5 PAM

We currently use the Solaris Krb5 PAM module by Curtis King. This is available from ftp://ftp.dementia.org/pub/pam/. This was ported from the Linux Krb5 PAM written by Naomaru Itoi.

This is a patch that was added so you can get an AFS token once the kerberos ticket has been obtained. It runs a command called aklog which does the ticket to token conversion. The following patch was written in NCSA's AFS/Kerberos 5 environment. We have applied Ken Hornstein's AFS-Kerberos 5 migration kit to the MIT version of Kerberos.

After the patch is applied the following configuration changes will need to be made to get this to work.

In the Makefile the following needs to be added to the end of the CFLAGS variable:

    -DAFS
    For compiling in the AFS specific code.

    -DHAVE_APPDEFAULT
    For compiling in appdefault code (this is specific to the AFS/Kerberos 5 migration kit modifications).

If you are using the migration kit you have the option of compiling with the HAVE_APPDEFAULT option mentioned above. If this is the case then it will look for the following defaults in the krb5.conf file under the [appdefaults] section: 

        forwardable = 1
        krb5_run_aklog = 1
        krb5_aklog_path = /usr/local/krb5/bin/aklog
        default_lifetime = 25h
You can set forwardable to 0 or 1 depending if you want to get a forwardable ticket or not. Set krb5_run_aklog to 1 so it will run aklog. The krb5_aklog_path will need to be set to the location of your aklog binary. Set default_lifetime to whatever value is appropriate for your site, the default if not set is 10 hours.

If you are not using the migration kit, but still use aklog to convert a ticket to a token, then you can define the AKLOG_PATH variable in the Makefile for the location of the aklog binary.

You will also need to link in the latest krbafs library from CMU. This library is a modified version of the KTH Kerberos (eBones) libkafs. It was written with some nice and easy AFS library calls. Make sure that you either install the libkrbafs.a library in a location the PAM compile will find, or in the Makefile add "-L<library location> -lkrbafs" to the end of the EXTRALIBS variable.

This was compiled and tested with Solaris 2.6 and Kerberos version 1.0.5.

If you find problems or have comments then you can email me at: jbarlow@ncsa.uiuc.edu

  • Solaris AFS/Kerberos 5 PAM patch (patch to pam_krb5-1.1.3)

    Back to NCSA Kerberos Information

    Questions or comments about this page may be sent to kerberos@ncsa.uiuc.edu

    		•

    University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
    Contact NCSA | NCSA Intranet | Site Map
    Contact webmaster with questions regarding this page. Last updated May 22, 2002.
    All rights reserved. ©2009 Board of Trustees of the University of Illinois.