[OpenAFS] openssh-3.7.1, pam and no token after login
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 17 Dec 2003 12:19:00 -0500
On Tuesday, December 16, 2003 03:45:37 +0100 Hendrik Hoeth
<hendrik.hoeth@cern.ch> wrote:
> Hi,
>
> I've got a small but annoying problem. My configuration is:
>
> - openafs-client (plain afs, no third-party kerberos)
> - openssh-3.7.1
> - pam
>
> When I login via ssh, I won't get a new token (though I can login). If
> I then use klog to obtain a token, logout (no unlog), ssh again, I have
> the token which I got from klog before.
>
> This problem appeared after upgrading to openssh-3.7.1, older versions
> of openssh worked fine. Any hints?
As I understand it, OpenSSH starting in 3.7.0 or 3.7.1 runs PAM session
modules in a subprocess, even if privsep is not enabled. The result is
that changes made by these modules, such as establishing a new PAG into
which your tokens are placed, are not inherited by your shell.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA