[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Achim Gsell achim.gsell@psi.ch
Tue, 27 Jan 2004 15:12:28 +0100


On Monday 26 January 2004 23:51, Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson
> <dean@av8.com>
>
> wrote:
> > On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
> >> Worse, it would not solve the problem.  The trouble here is not
> >> that AFS tokens are stored in a kernel data structure instead of a
> >> file.  It's that  they are indexed by a value which must be set on
> >> login, inherited from each  process by its children, and must not
> >> be changeable by the user (to prevent  token stealing).  OpenSSH
> >> loses not because you need special code to set  tokens, and not
> >> even because you need special code to generate a new PAG --  those
> >> things can be done by a PAM module. OpenSSH loses because the PAM 
> >> session module gets called outside the inheritance chain of the
> >> user's  shell, which means it can't set a PAG or anything else
> >> that is inherited  across a fork (e.g. groups, environment
> >> variables, resource limits, etc etc  etc).
> >
> > Right. And there is an easy solution: Turn off Privsep.
>
> Sadly, this doesn't make any difference.  OpenSSH 3.7.1 and later run
> PAM session modules in a subprocess unrelated to the eventual user
> shell, regardless of whether privsep is enabled.  AFAIK, in earlier
> versions, it works fine even with privsep, because while such things
> may be run in a subprocess, they are run in a subprocess that ends up
> being an ancestor of the user shell.

If you have POSIX threads make sure that USE_POSIX_THREADS is defined 
while compiling auth-pam.c. This work's fine with Linux 2.4 and OpenSSH 
3.7.1pl2.

Achim
-- 
Scientific Computing
Paul Scherrer Institut
CH-5232 Villigen