pam issues - was Re: [OpenAFS] Is OpenAFS appropriate?
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 21 Jan 2004 16:37:25 -0500
On Wednesday, January 21, 2004 11:16:20 -0600 John Tang Boyland
<boyland@solomons.cs.uwm.edu> wrote:
> Just wanted to point out that (open)sshd doesn't work well with PAM/AFS.
> Like you said, you have to klog again after logging on, even after
> using PAM for AFS login.
>
> This has been reported off and on in openafs-info since openssh 3.7.1
>
> It happens because sshd loses the PAG for the login shell. This means
> that next time you log on (if it's within 25 hours), you will still
> have your tokens which makes sftp etc better than useless.
It's worse than that. Starting with OpenSSH 3.7.1, pam session modules are
run in a separate subprocess which is not in the inheritance chain for the
user's shell. This happens even if privilege separation is not enabled.
The result is that obtaining a new PAG and setting tokens are both done in
this subprocess which is then thrown away. So you don't get a new PAG, and
you don't get tokens, and there's basically nothing the PAM module
maintainer can do about it.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA