[OpenAFS] Hijacking a PAG

Christof Hanke hanke@rzg.mpg.de
Tue, 20 Mar 2007 17:59:08 +0200


just one (or three) question(s) out of curiosity :

Why don't you operate on the krb5-ticket-level?
Wouldn't that be easier (and more portable to other systems) ?
Any specific reason for that ?


Andreas Haupt wrote:
> Hi Derek, hi Chas,
> On Tue, 20 Mar 2007, chas williams - CONTRACTOR wrote:
>> In message <Pine.LNX.4.64.0703200757060.2150@fuchur.ifh.de>,Andreas
>> Haupt write
>> s:
>>> I can have full access to the PAG environment SGE has created. How can I
>>> "transfer" the PAG now to a second "virgin" environment. As an example I
>>> have two sessions and I want the second session to be in the same PAG as
>>> the first session:
>> you can't.  you will note that the key/pag doesnt allow you to read it.
>> this was intentional.   i dont know much about SGE.  how did qrsh
>> (or the shepherd) create the new session keyring?  a pam module?
> It's calling pagsh.krb (or any other program you want).
> But ok, I've found the delinquent: pam_keyinit.so. It's configured with
> the force flag by default in /etc/pam.d/sshd which removes all existent
> sessions.
> session    optional     pam_keyinit.so force revoke
> Changing it to
> session    optional     pam_keyinit.so revoke
> does the trick. SGE's PAG environment won't get destroyed any more. Thanks.
> Andreas