Tuesday, 2022/03/22
10:00 am ET
Terrell Russell, Alan King, Kory Draughn, Dave Fellinger, Claudio Cacciari (SURF), Harry Kodden (SURF), Stefan Wolfsheimer (SURF), Paul Borgermans (KU Leuven), John Constable (Sanger), Mike Conway (NIEHS)
DISCUSSION
- Alan Update
- Legacy PAM plugin ported to use new plugin framework
- Perhaps start calling it 'pam_password'
- Functions as a standalone plugin instead of having a special flow via iinit
- Attempted port of SURF's "interactive PAM" auth plugin to new framework
- Originally https://github.com/stefan-wolfsheimer/irods_auth_plugin_pam_interactive
- Not sure if this builds/works, hoping for tutorial
- Legacy PAM plugin ported to use new plugin framework
- Next Steps
- JSON token on client side - to hold information coming from the PAM stack
- Most complicated part was/is to implement the callback function in the flow when coming from the PAM stack, as part of the handshake conversation(?)
- Hold diagrams alongside the code - figure out if they are consistent/true
- Demonstrate example session from original presentation, to confirm flow is still consistent
- Updated diagram, similar to current interactive series, but box-within-a-box
- Proposed
- Small hackathon - to be able to poke at the PAM backend, via python (no compiling)
- auth_check_main.cpp - as a debugging program, good place to start too
- Would not use the python backend for production, but good for testing/prototyping
- Any kind of conversation, flexible
- Question (Stefan)
- Consider adding threadpool, to control the number of active sessions with PAM
- Claudio
- iinit currently creates .irodsA (which requires iexit to remove)
- Need to think about removing the cookie/JSON file
- Current code, if JSON is not present, then challenge again to recreate
- No explicit logout in the code… yet
- Question, should iexit also remove this JSON file?
- Perhaps just another plugin operation (so for native, remove .irodsA file, for PAM, remove this JSON)
- Similar flow for when the server invalidates/revokes a good token
- And again for renewing/refreshing
- Other iRODS client libraries would need to learn this flow as well
- Python, Go, Jargon, etc. But also the clients that use them
- Interaction with the user
- b/c no longer just challenge/password, need to copy/paste any tokens, etc.
- Only the server has to talk to the PAM stack itself
- Python, Go, Jargon, etc. But also the clients that use them
- Stefan will find/share the JSON cookie patch with Alan
- Next Meeting
- April 2022