[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens

Russ Allbery rra@stanford.edu
Tue, 31 Oct 2006 08:10:10 -0800


Douglas E Engert <deengert@anl.gov> writes:

> Rather then having to modify ssh to swap the order of the
> calls to pam_setcred and pam_open_session, you could look at
> using one of the pam_afs module that will get the token and PAG
> during the pam_setcred. For example the pam_openafs_session.so
> module can be called from "auth" and it will get the token
> during pam_setcred.

pam_openafs_session.so relies on aklog -setpag, which is what sparked this
whole discussion.  That functionality appears to have broken with the
latest kernels and the latest OpenAFS.  I had one report that it started
working again after reverting the kernel module to 1.4.2-fc3 and one
report that that didn't help.

-setpag is, as Jeff points out, living on borrowed time.  It may be
possible to fix this; I don't know the Linux kernel internals well enough
to tell you.  However, the best solution is to switch to a PAM module that
creates a PAG through a direct system call during open_session or setcred.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>