[OpenAFS] Re: openssh-3.7.1, pam and no token after login

[Christopher Allen Wing]

Hendrik:


On Tue, 16 Dec 2003, Hendrik Hoeth wrote:

> openssh before 3.7.1 (even with privilege seperation) used to work fine.
> The problem that I don't get a token appeared with openssh 3.7.1.

Hmm, sorry, I'm not familiar with this version of openssh. We're using a
packaged version from a linux distribution.

> John T. Boyland reported the same problem on Solaris with privsep
> disabled some time ago, but he has no solution yet, either.

It sounds like it will require some tracing/debugging to see what is going
on.

> > We have our own pam module that needed some modifications to work
> > properly. I haven't tried the OpenAFS one so I don't know if it is
> > broken with newer openssh or not.
>
> May I asked what you changed in your pam module? Are these special
> changes for your environment, or could it be useful for me as well?

We have a modified pam module to work in an environment with multiple,
unsynchronized Kerberos realms / AFS cells.

I'm not sure that it would be particularly interesting to most people
using openafs.



The quirk I noticed in openssh PAM support (but again, I haven't tried
3.7.1) was that it drops root privileges between the time that it starts
using PAM and the time it finishes, which is confusing. (and will break
PAM modules that expect to be root the entire time)

In particular, I believe it did:

	pam_start() as root

	pam_authenticate() as root

	pam_setcred(PAM_REINITIALIZE_CRED) as root

	pam_setcred(PAM_ESTABLISH_CRED) as non-root

	pam_setcred(PAM_DELETE_CRED) as non-root

	pam_end() as non-root



Thanks,

Chris
wingc@engin.umich.edu