[OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos
andMITKerberos
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 26 Jan 2004 16:36:04 -0500
On Monday, January 26, 2004 15:02:54 -0600 "Douglas E. Engert"
<deengert@anl.gov> wrote:
> Well the PAG needs to be set. The code with the kafs sets it in the
> current process, which is the process I would have fork and exec aklog,
> so if they move the code in either case the PAG will be wrong.
Yup.
> OK. The situation I would like to avoid is vendors packaging OpenSSH
> executables that don't have any hooks in them to set the PAG or get a
> token, which is the case today.
Actually, PAM was a perfectly fine hook, when PAM session modules were
still called in the inheritance chain of the user's shell. This only
became broken in OpenSSH 3.7.1. If they fix it, we can use a PAM module to
set a PAG.
> Is the PAG mechanisum you expect to endup with on Linux going to be a
> standard feature, i.e. always in the kernel? If not and the setpag of
> parent is not available either, that could be a step backward.
It's still very unclear what will happen. It's politically very messy.
But really, setpag-in-parent is a kludge which breaks a fundamental
abstraction. It was done entirely so that the designers of the original
Andrew system could provide newpag-like functionality without having to
actually start a new shell, because for some reason they thought that would
make their lives easier. Today, I see it used only so that people can do
in a subprocess what they'd have to do in the same process for any other
mechanism. The call to setpag() belongs at the same place you call
setgroups(), setgid(), setuid(), and so on; not in a separate process.
I'll not be the slightest bit sorry to see this "feature" go away.
-- Jeff