The
pam_afslog authentication service module for PAM provides functionality for only one PAM category: authentication (
module-type of “
auth”).
The
pam_sm_authenticate() function does nothing and thus the module should be used with an
control-flag of “
optional”.
The value of the module comes from its
pam_sm_setcred() function. If the
afslog parameter is enabled in
krb5.conf(5), then the module will take Kerberos 5 credentials from the cache created by
pam_krb5(8) and convert them into AFS tokens, after first creating a PAG (Process Authentication Group) if necessary.