[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 30 Oct 2006 20:14:51 -0500
On Monday, October 30, 2006 01:56:16 AM -0500 Dean Anderson <dean@av8.com>
wrote:
> I see that openssh is _still_ doing a pam_open_session before
> pam_setcred, but having changed that in openssh (4.0p1), it still
> doesn't work. Pam module gets called--I can see the syslog'd debug
> messages when I add "debug", but I get no credentials on login.
This list is for development discussion, not "please tell me how to make it
work". As such, you should expect to find messages in the archive which
propose solutions to a problem that don't actually help you. Sometimes
that's because the proposed solution is wrong, and sometimes it's because
the topic at hand is quite complex, and what looks like the same problem
may not be. Similarly, "try this" does not mean "this will make your
problem go away"; it means "try this and let me know whether it works".
When you recompiled openssh, did you use -DUSE_POSIX_THREADS? (*)
If not, then sshd is going to run the AFS PAM module in a subprocess, where
it has no ability to provide you with tokens. This is a fundamental flaw
in the way OpenSSH handles PAM modules, not a bug in OpenAFS.
If you built with -DUSE_POSIX_THREADS and still have a problem, then please
provide details like the exact versions of openafs and sshd you are using,
any patches you've applied, the OS version and architecture, and the
contents of the relevant PAM config files and log files.
-- Jeff