[OpenAFS-devel] OpenAFS and OpenSSH, PAM, tokens
lamont@scriptkiddie.org
lamont@scriptkiddie.org
Tue, 31 Oct 2006 10:49:56 -0800 (PST)
On Tue, 31 Oct 2006, Jeffrey Hutzelman wrote:
> OpenAFS's PAM module does nothing during open_session, and while it will
> create the PAG during setcred, it doesn't set a token there unless it can
> actually obtain tokens using the password stored for it (in PAM data) by
> the auth method. That is, OpenAFS's authenticate and setcred operations
> need to communicate with each other, and OpenSSH prevents that by running
> the former in a subprocess.
The pam_krb5afs in RedHat (I think RHEL4 or later) works around this issue
by introducing a use_shmem flag so that they can communicate between
processes.