[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Achim Gsell
achim.gsell@psi.ch
Tue, 27 Jan 2004 15:12:28 +0100
On Monday 26 January 2004 23:51, Jeffrey Hutzelman wrote:
> On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson
> <dean@av8.com>
>
> wrote:
> > On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
> >> Worse, it would not solve the problem. The trouble here is not
> >> that AFS tokens are stored in a kernel data structure instead of a
> >> file. It's that they are indexed by a value which must be set on
> >> login, inherited from each process by its children, and must not
> >> be changeable by the user (to prevent token stealing). OpenSSH
> >> loses not because you need special code to set tokens, and not
> >> even because you need special code to generate a new PAG -- those
> >> things can be done by a PAM module. OpenSSH loses because the PAM
> >> session module gets called outside the inheritance chain of the
> >> user's shell, which means it can't set a PAG or anything else
> >> that is inherited across a fork (e.g. groups, environment
> >> variables, resource limits, etc etc etc).
> >
> > Right. And there is an easy solution: Turn off Privsep.
>
> Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run
> PAM session modules in a subprocess unrelated to the eventual user
> shell, regardless of whether privsep is enabled. AFAIK, in earlier
> versions, it works fine even with privsep, because while such things
> may be run in a subprocess, they are run in a subprocess that ends up
> being an ancestor of the user shell.
If you have POSIX threads make sure that USE_POSIX_THREADS is defined
while compiling auth-pam.c. This work's fine with Linux 2.4 and OpenSSH
3.7.1pl2.
Achim
--
Scientific Computing
Paul Scherrer Institut
CH-5232 Villigen