[OpenAFS-devel] AFS and SSH once again

[Simon Wilkinson]

On 16 Nov 2007, at 19:44, Russ Allbery wrote:

> pam_afs doen't work properly with ssh because it tries to do all of  
> its
> work in the auth stack instead of using the session stack to set up
> tokens.

I talked about this at the last AFS BPW. Basically, OpenSSH normally  
performs the PAM auth step from a process that doesn't own the  
eventual shell (in fact, the process is spawned specifically to  
perform the authentication, and then is killed as soon as  
authentication is complete). There's some diagrams of this at http:// 
workshop.openafs.org/afsbpw07/talks/simon2.pdf

I suspect that you may be able to get this to work with some versions  
of OpenSSH by disabling the ChallengeResponse option - although this  
limits the types of PAM interaction that you can perform.

Cheers,

Simon.