[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and
MITKerberos
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 26 Jan 2004 15:05:37 -0500
On Monday, January 26, 2004 12:59:56 -0600 "Douglas E. Engert"
<deengert@anl.gov> wrote:
> Yes, ak5log or gssklog. Note the -setpag, when it works, is nice
> as this sets the PAG in the parent processes so makes it even easier
> to get the OpenAFS dependiencs out of the caller.
Except this works only up exactly one level. The OpenSSH folks will
inevitably end up calling this code from some process which is not in the
inheritance chain for the user's shell, leaving us right where we are today
with PAM. Even if they don't do it today, the restriction is obscure and
will not be well known to people working on OpenSSH, so there is a good
chance that it will be inadvertently broken later.
Worse, there is a good chance that whatever PAG mechanism we end up with on
Linux 2.6 will not support setpag-in-parent at all. So it would be wise to
avoid introducing new dependencies on it, especially in other people's code.
-- Jeff