Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 356901 - sys-auth/pam-afs-session requires the nopag option to acquire AFS token
Summary: sys-auth/pam-afs-session requires the nopag option to acquire AFS token
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-28 22:13 UTC by Jan Hrabe
Modified: 2019-11-05 22:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Hrabe 2011-02-28 22:13:29 UTC 
I use kerberos 5 setup with openafs.  Because Gentoo version of pam_krb5 does not incorporate the options used for getting AFS tokens, the pam_afs_session is required.  However, this module does not seem to cooperate with pam unless the nopag option is used, which compromises security.

=========

:~> emerge --info
Portage 2.1.9.25 (default/linux/x86/10.0/desktop, gcc-4.4.5, glibc-2.11.2-r3, 2.6.36-gentoo-r5 i686)
=================================================================
System uname: Linux-2.6.36-gentoo-r5-i686-Intel-R-_Xeon-R-_CPU_E5345_@_2.33GHz-with-gentoo-1.12.14
Timestamp of tree: Mon, 28 Feb 2011 14:30:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.6.6-r2, 3.1.3-r1
dev-util/ccache:     2.4-r9
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.5
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs candy ccache distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US"
LC_ALL="en_US"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi afs alsa berkdb branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emacs emboss encode exif fam firefox flac foomaticdb fortran gcj gdbm gdu gif gpm gtk iconv ieee1394 imagemagick jpeg kerberos latex lcms libnotify lock mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nis nls nptl nptlonly ogg opengl openmp pam pango pcre pdf perl pic png policykit ppds pppd python qt3support qt4 readline sasl sdl session spell ssl startup-notification svg sysfs tcpd thunar tiff truetype udev unicode usb vorbis x264 x86 xcb xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

========

:~> cat /etc/krb5.conf
[libdefaults]
 	default_realm = CABI.RFMH.ORG
 	dns_lookup_realm = false
	dns_lookup_kdc = false
	ticket_lifetime = 24h
	forwardable = true
	allow_weak_crypto = true

[realms]
	CABI.RFMH.ORG = {
		kdc = gozer.rfmh.org
		kdc = inara.rfmh.org
		kdc = hathor.rfmh.org
		master_kdc = gozer.rfmh.org
		admin_server = gozer.rfmh.org
		default_domain = rfmh.org
	}

[domain_realm]
	.rfmh.org = CABI.RFMH.ORG
	rfmh.org = CABI.RFMH.ORG

[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

[appdefaults]
	debug = true

========

:~> cat /etc/pam.d/system-auth
auth		required	pam_env.so 
auth		sufficient	pam_krb5.so		ignore_root
auth		optional	pam_afs_session.so	program=/usr/bin/aklog nopag
auth		sufficient	pam_unix.so		try_first_pass likeauth nullok 
auth		optional	pam_permit.so
 
account		sufficient	pam_krb5.so		ignore_root
account		required	pam_unix.so
account		optional	pam_permit.so
 
password	required	pam_cracklib.so		difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password	sufficient	pam_krb5.so		use_authtok ignore_root
password	sufficient	pam_unix.so		use_authtok nullok sha512 shadow 
password	optional	pam_permit.so
 
session		required	pam_limits.so 
session		required	pam_env.so 
session		optional	pam_krb5.so		ignore_root
session		required	pam_afs_session.so	program=/usr/bin/aklog nopag
session		required	pam_unix.so 
session		optional	pam_permit.so



Reproducible: Always
Comment 1 Jan Hrabe 2011-03-01 15:18:56 UTC 
I should have included the versions:

*  net-fs/openafs
      Latest version available: 1.4.14-r1
      Latest version installed: 1.4.14-r1

*  net-fs/openafs-kernel
      Latest version available: 1.4.14
      Latest version installed: 1.4.14

*  sys-auth/pam-afs-session
      Latest version available: 1.6
      Latest version installed: 1.6
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-11-05 22:19:41 UTC 
removing.