[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
Russ Allbery
rra@stanford.edu
Tue, 31 Oct 2006 08:10:10 -0800
Douglas E Engert <deengert@anl.gov> writes:
> Rather then having to modify ssh to swap the order of the
> calls to pam_setcred and pam_open_session, you could look at
> using one of the pam_afs module that will get the token and PAG
> during the pam_setcred. For example the pam_openafs_session.so
> module can be called from "auth" and it will get the token
> during pam_setcred.
pam_openafs_session.so relies on aklog -setpag, which is what sparked this
whole discussion. That functionality appears to have broken with the
latest kernels and the latest OpenAFS. I had one report that it started
working again after reverting the kernel module to 1.4.2-fc3 and one
report that that didn't help.
-setpag is, as Jeff points out, living on borrowed time. It may be
possible to fix this; I don't know the Linux kernel internals well enough
to tell you. However, the best solution is to switch to a PAM module that
creates a PAG through a direct system call during open_session or setcred.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>