[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 31 Oct 2006 01:37:03 -0500 (EST)


On Mon, 30 Oct 2006, Dean Anderson wrote:

> You must set in /etc/ssh/sshd_config:
> UsePrivilegeSeparation no

True, at least at the moment.  Possibly always.  I'd forgotten about this
because we have to do it anyway for other reasons (at least as of 4.0, the
privsep protocol code does not appear to be 64-bit clean).

> You must also remember to add -lpthread to openssh build.

Hm.  Indeed; that's another thing we didn't have to do, because another
library already pulls it in, and Linux is lax about such things.


> I tested this with openssh4.0p1, along with a previously described patch
> to swap the order of calls to pam_setcred and pam_open_session.  Seems
> to work.

I'm pretty sure our module doesn't do anything in open_session, which is
arguably a bug -- PAM applications are so awful about this that you
basically have to expect them to call setcred and open_session in either
order, before, after, or around actually switching to the user, and/or
skip one of them entirely.

Having read the OpenAFS PAM module code again recently (partly as a result
of your report, and partly for other reasons), I'm not terribly happy with
it.  IIRC, Russ mentioned something about putting together something
better in the near future.

-- Jeff