[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

Douglas E. Engert deengert@anl.gov
Tue, 31 Oct 2006 09:01:07 -0600 

Rather then having to modify ssh to swap the order of the
calls to pam_setcred and pam_open_session, you could look at
using one of the pam_afs module that will get the token and PAG
during the pam_setcred. For example the pam_openafs_session.so
module can be called from "auth" and it will get the token
during pam_setcred.


Dean Anderson wrote:
> BTW, there are a couple more things to add in the FAQ on this:
> 
> You must set in /etc/ssh/sshd_config:
> UsePrivilegeSeparation no
> 
> You must also remember to add -lpthread to openssh build.
> 
> I tested this with openssh4.0p1, along with a previously described patch
> to swap the order of calls to pam_setcred and pam_open_session.  Seems 
> to work.
> 
> I will put a patch and a source src.RPM up at 
> http://www.av8.net/SOURCES/openssh-4.0p1-av8.patch
> http://www.av8.net/SRPMS/openssh-4.0p1-1av8.src.rpm
> Feel free to link.
> 
> Thanks,
> 
> 		--Dean
> 
> On Mon, 30 Oct 2006, Dean Anderson wrote:
> 
> 
>>On Mon, 30 Oct 2006, Jeffrey Hutzelman wrote:
>>
>>
>>>On Monday, October 30, 2006 01:56:16 AM -0500 Dean Anderson <dean@av8.com> 
>>>wrote:
>>>
>>>
>>>>I see that openssh is _still_ doing a pam_open_session before
>>>>pam_setcred, but having changed that in openssh (4.0p1), it still
>>>>doesn't work.  Pam module gets called--I can see the syslog'd debug
>>>>messages when I add "debug", but I get no credentials on login.
>>>
>>>This list is for development discussion, not "please tell me how to make it 
>>>work".  As such, you should expect to find messages in the archive which 
>>>propose solutions to a problem that don't actually help you.  Sometimes 
>>>that's because the proposed solution is wrong, and sometimes it's because 
>>>the topic at hand is quite complex, and what looks like the same problem 
>>>may not be.  Similarly, "try this" does not mean "this will make your 
>>>problem go away"; it means "try this and let me know whether it works".
>>
>>I understand all the issues you mention about development. However,
>>developers who solve problems but don't tell anyone about the solutions
>>so found, haven't really solved a problem.
>>
>>
>>>When you recompiled openssh, did you use -DUSE_POSIX_THREADS? (*) If
>>>not, then sshd is going to run the AFS PAM module in a subprocess,
>>>where it has no ability to provide you with tokens.  This is a
>>>fundamental flaw in the way OpenSSH handles PAM modules, not a bug in
>>>OpenAFS.
>>
>>That would be helpful to put in a FAQ, somewhere easily found. In fact, 
>>I'll be happy to provide url to a patch and src.rpm for openssh that you 
>>can add to the FAQ on this subject.
>>
>>Regarding 'bug in OpenAFS', lots of things are not "bug in <x>", but are
>>solved by <x> in some way (maybe a patch, maybe just a FAQ), because,
>>obviously, sometimes <x> isn't very useful without it.
>>
>>But, thanks for the clues. I do appreciate it.
>>
>>
>>>If you built with -DUSE_POSIX_THREADS and still have a problem, then
>>>please provide details like the exact versions of openafs and sshd you
>>>are using, any patches you've applied, the OS version and
>>>architecture, and the contents of the relevant PAM config files and
>>>log files.
>>
>>I thought I did that: fedora core 4 comes with a particular linux
>>kernel, glibc, compilers, and other configuration and environment. I
>>stated openafs 1.4.2, build from the openafs.org distributed src.rpm,
>>and openssh 4.0p1, as distributed with fc4 and rebuilt as described.  
>>Since I specified all the updates I made, there are no other updates
>>from the fc4 stock.
>>
>>Thanks again for the clues.  
>>
>>                --Dean
>>
>>
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444