[OpenAFS] Re: ssh-3.7.1p2 on linux doesn't set AFS pag - can PAM do it?
Dean Anderson
dean@av8.com
Tue, 7 Oct 2003 18:00:39 -0400 (EDT)
Are you building ssh with PAM?
I'm not having this problem anymore, but I did see it when built without
the -DUSE_POSIX_THREADS
--Dean
On Tue, 7 Oct 2003, Shawn Freebern wrote:
>
> I've built the latest openssh (3.7.1p2) on a linux system running the
> latest release of openafs. I don't seem to get a token on login unless I
> enable -DUSE_POSIX_THREADS (and link -lpthread - see openafs-devel for
> more on that topic). My problem now is that sshd doesn't set a PAG on
> login - everyone who logs in with ssh shares the latest tokens - and when
> any session closes, everyone loses tokens. I have UsePAM enabled and have
> the default afs-aware pam.d/sshd.
>
> This is probably due to the decision to remove AFS support from ssh.
> openssh-3.7.1p1 has this code in sshd.c:
>
> #ifdef AFS
> /* If machine has AFS, set process authentication group. */
> if (k_hasafs()) {
> k_setpag();
> k_unlog();
> }
> #endif /* AFS */
>
> The lack of that code would seem to be the problem - sshd is no longer
> creating a new PAG. Now, I could add the AFS code back into sshd - but
> since the decision has been made to remove AFS support, it seems the
> logical action here would be to set the PAG somewhere else - can PAM do
> that for me, and if so, how?
>
> As a second question, I noticed somewhere that -DUSE_POSIX_THREADS may
> create a security problem - anyone willing to explain what I need to be
> aware of there?
>
> Thanks,
> Shawn
>
> --
> Shawn M. Freebern smf@btv.ibm.com
>
>