[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

Dean Anderson dean@av8.com
Mon, 30 Oct 2006 22:36:45 -0500 (EST) 

On Mon, 30 Oct 2006, Jeffrey Hutzelman wrote:

> On Monday, October 30, 2006 01:56:16 AM -0500 Dean Anderson <dean@av8.com> 
> wrote:
> 
> > I see that openssh is _still_ doing a pam_open_session before
> > pam_setcred, but having changed that in openssh (4.0p1), it still
> > doesn't work.  Pam module gets called--I can see the syslog'd debug
> > messages when I add "debug", but I get no credentials on login.
> 
> This list is for development discussion, not "please tell me how to make it 
> work".  As such, you should expect to find messages in the archive which 
> propose solutions to a problem that don't actually help you.  Sometimes 
> that's because the proposed solution is wrong, and sometimes it's because 
> the topic at hand is quite complex, and what looks like the same problem 
> may not be.  Similarly, "try this" does not mean "this will make your 
> problem go away"; it means "try this and let me know whether it works".

I understand all the issues you mention about development. However,
developers who solve problems but don't tell anyone about the solutions
so found, haven't really solved a problem.

> When you recompiled openssh, did you use -DUSE_POSIX_THREADS? (*) If
> not, then sshd is going to run the AFS PAM module in a subprocess,
> where it has no ability to provide you with tokens.  This is a
> fundamental flaw in the way OpenSSH handles PAM modules, not a bug in
> OpenAFS.

That would be helpful to put in a FAQ, somewhere easily found. In fact, 
I'll be happy to provide url to a patch and src.rpm for openssh that you 
can add to the FAQ on this subject.

Regarding 'bug in OpenAFS', lots of things are not "bug in <x>", but are
solved by <x> in some way (maybe a patch, maybe just a FAQ), because,
obviously, sometimes <x> isn't very useful without it.

But, thanks for the clues. I do appreciate it.

> If you built with -DUSE_POSIX_THREADS and still have a problem, then
> please provide details like the exact versions of openafs and sshd you
> are using, any patches you've applied, the OS version and
> architecture, and the contents of the relevant PAM config files and
> log files.

I thought I did that: fedora core 4 comes with a particular linux
kernel, glibc, compilers, and other configuration and environment. I
stated openafs 1.4.2, build from the openafs.org distributed src.rpm,
and openssh 4.0p1, as distributed with fc4 and rebuilt as described.  
Since I specified all the updates I made, there are no other updates
from the fc4 stock.

Thanks again for the clues.  

                --Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000