Bug#318936: libpam-openafs-session: Refreshing tokens with xscreensaver etc.

[Andres Salomon]

Hi,

There's no need to add an additional argument to this module; there are
perfectly usable options within pam to support token refreshing.
Xscreensaver already calls setcred w/ PAM_REINITIALIZE_CRED.  Instead,
the patch should probably be as attached.

Note that there are still some issues with this; this assumes
libpam-krb5 has generated valid krb5 tokens (I have a libpam-krb5 module
that regenerates the credentials cache upon setcred REINIT/REFRESH).
For some reason, pam_getenv() doesn't see KRB5CCNAME; for the moment,
I'm calling getenv().  I intend to fix that, if possible.  Finally, for
some reason aklog does different things when called from pam.

When calling kinit/aklog from my shell, I end up with:



[EMAIL PROTECTED]:~/src/libpam-openafs-session-1.0 $ kinit -f && aklog
-setpag
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~/src/libpam-openafs-session-1.0 $ klist
Ticket cache: FILE:/tmp/krb5cc_1010_Iv9XPn
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
08/25/05 15:25:48  08/26/05 01:25:48
krbtgt/[EMAIL PROTECTED]
08/25/05 15:25:49  08/26/05 01:25:48
afs/[EMAIL PROTECTED]


Kerberos 4 ticket cache: /tmp/tkt1010
klist: You have no tickets cached
[EMAIL PROTECTED]:~/src/libpam-openafs-session-1.0 $ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1010) tokens for [EMAIL PROTECTED] [Expires Aug 26
01:25]
   --End of list--




However, when libpam-krb5 generates credentials, and
libpam-openafs-session generates afs tokens, I end up w/:



[EMAIL PROTECTED]:~/src/libpam-openafs-session-1.0 $ klist
Ticket cache: FILE:/tmp/krb5cc_1010_Iv9XPn
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
08/25/05 15:26:57  08/26/05 01:26:57
krbtgt/[EMAIL PROTECTED]
08/25/05 15:26:57  08/26/05 01:26:57
afs/[EMAIL PROTECTED]


Kerberos 4 ticket cache: /tmp/tkt1010
klist: You have no tickets cached
[EMAIL PROTECTED]:~/src/libpam-openafs-session-1.0 $ tokens

Tokens held by the Cache Manager:

   --End of list--


I'm not sure why they're different; Russ/Sam, any ideas? 


diff -purN l/libpam-openafs-session-1.0/pam_openafs-krb5_sess.c t/libpam-openafs-session-1.0/pam_openafs-krb5_sess.c
--- l/libpam-openafs-session-1.0/pam_openafs-krb5_sess.c	2005-08-25 15:19:24.331999306 -0400
+++ t/libpam-openafs-session-1.0/pam_openafs-krb5_sess.c	2005-08-25 15:18:49.063848410 -0400
@@ -78,7 +78,7 @@ pam_sm_open_session(pam_handle_t *pamh, 
     ELOG("getpwnam","Unable to get the user UID");
     return PAM_SERVICE_ERR;
   }
-  filecache=pam_getenv(pamh,namecache);    
+  filecache=getenv(namecache);    
   if (!filecache) {
     DLOG ("open_session", "Could not find Kerberos tickets; not running aklog");
     return PAM_SUCCESS;
@@ -165,7 +165,7 @@ pam_sm_close_session(pam_handle_t *pamh,
     exit(-1);
   }
   
-  filecache=pam_getenv(pamh,namecache);    
+  filecache=getenv(namecache);    
   snprintf(buf,MAXBUF-1,"%s=%s",namecache,filecache);
   envi[0]=buf;
   DLOG("ENVIRONNEMENT", envi[0]);
@@ -192,7 +192,7 @@ int
 pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
 	       const char **argv)
 {
-  if (flags == PAM_ESTABLISH_CRED)
+  if (flags & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED|PAM_REFRESH_CRED))
     return pam_sm_open_session (pamh, flags, argc, argv);
 return PAM_SUCCESS;
 }