I would like to authenticate the users of my web2py application with AFS. Unfortunately, it seems like the pam.py module doesn't support AFS, only local users. Is it possible to do that with pam, or should I use something else?
Using PAM is probably what you want to do, since web2py doesn't have any built-in support for AFS or krb5. In order to authenticate non-local users, you would need to specify a different PAM service to authenticate to, and modify the local PAM configuration to make that service authenticate to AFS.
It looks like pam_auth.py module doesn't support using PAM services besides the default "login", but it looks simple to make it do so, or create your own. You just need to do something like this:
from gluon.contrib.pam import authenticate
def mypam_auth():
def pam_auth_aux(username, password):
return authenticate(username, password, "myservice")
auth.settings.login_methods.append(mypam_auth())
Where "myservice" is just a service name you choose. Then you need to modify the local PAM configuration to make "myservice" authenticate to AFS. On Linux, this usually means creating a file /etc/pam.d/myservice, and filling it with PAM configuration to authenticate to AFS.
Most AFS cells these days use Kerberos 5 for authentication, so this just means you need to authenticate to Kerberos 5, and don't need to bother any AFS stuff (unless you want to verify that the user has a valid AFS account; but that's more of a question of authorization than authentication). There are a few guides and examples for setting up PAM with krb5 logins, such as: http://techpubs.spinlocksolutions.com/dklar/kerberos.html#PAM_configuration
You can just try to follow one of those guides, but you probably only need the 'auth' section, since you don't need to worry about sessions and tickets and all of that. You may only need something like this in /etc/pam.d/myservice:
auth required pam_krb5.so no_ccache use_first_pass
auth required pam_deny.so
If by "AFS authentication" you mean the old kaserver krb4-based authentication instead of krb5 (that is, you use 'klog' to authenticate to AFS, instead of 'kinit' and 'aklog' or 'klog.krb5'), you would instead need to use the pam_afs.so PAM module. Something like this might work:
auth required pam_afs.so use_first_pass
auth required pam_deny.so
If you don't have control over the local PAM configuration on the local machine, you can instead try to authenticate users by spawning a 'kinit' (krb5) or 'klog' (old kaserver) command, and giving the command a password on it's standard input. That's not very elegant, but it should work.