[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
Simon Wilkinson
sxw@inf.ed.ac.uk
Tue, 31 Oct 2006 09:12:45 +0000
On 31 Oct 2006, at 01:14, Jeffrey Hutzelman wrote:
>
> When you recompiled openssh, did you use -DUSE_POSIX_THREADS? (*)
> If not, then sshd is going to run the AFS PAM module in a
> subprocess, where it has no ability to provide you with tokens.
> This is a fundamental flaw in the way OpenSSH handles PAM modules,
> not a bug in OpenAFS.
OpenSSH, without POSIX_THREADS, will work with AFS, providing you use
an AFS PAM module which creates the PAG as part of the session or
setcred sections - we use Doug Engerts pam_afs2 here, which works
fine. You need to do this, anyway, if you want to get AFS credentials
following a successful GSSAPI authentication.
The POSIX_THREADS hack appears to be being deprecated in the OpenSSH
codebase - it's now renamed USE_UNSUPPORTED_POSIX_THREADS_HACK.
[ The issue is that OpenSSH's complex 'monitor' system means that the
authentication sections of the PAM stack are run within a process
which has no relationship to the process eventually used to spawn the
shell ]
Cheers,
Simon.