[OpenAFS] token oddities under Linux
Marc Schmitt
schmitt@inf.ethz.ch
Thu, 25 Jul 2002 23:54:48 +0200
Hi Tino,
Tino Schwarze wrote:
> Are you sure that there wasn't a token left over from your other
> tries?
I`ll give you the benefit of the doubt. ;)
> Try the following:
>
> ssh to B unlog tokens
bash-2.05a$ unlog
bash-2.05a$ tokens
Tokens held by the Cache Manager:
--End of list--
> klog -setpag tokens
bash-2.05a$ klog mschmitt -setpag
Password:
bash-2.05a$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 27240) tokens for afs@ethz.ch [Expires Jul 27 00:37]
--End of list--
>
> And in second terminal:
>
> ssh to B tokens
[root@respect root]# tokens
Tokens held by the Cache Manager:
--End of list--
> su $user
[root@respect root]# su - mschmitt
bash-2.05a$
> tokens
bash-2.05a$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 27240) tokens for afs@ethz.ch [Expires Jul 27 00:37]
--End of list--
>
> What do you get?
Judging by your first question, you don`t believe what I get, do you? In
other words, you`ve never seen that effect on your Linux boxes??? I
can`t belive that. I wasn`t aware that this supposedly should not happen
till today when I mentioned to our SunOS Admins that I recommended one
of our Linux users to use the pagsh, so that root can`t take over the
users` token. To my astonishment (and to theirs, too), indeed the
behavior is completely different.
One thing I`ve noticed so far is that if I use pam_afs under Linux to
create a token at login (in system-auth), the tokens are in a PAG.
Meaning, `su $user` will not give you the token of $user and every ssh
session to the machine will create its own token (easy to check by the
expiration date).
But on a Linux machine w/o pam_afs, it (mis)behaves exactly as I
described above. Afaik pam_afs does NOT use klog (unless you explicitly
configure it with use_klog). I tried pam_afs with use_klog and it works
fine, the tokens are in a PAG, exactly like under SunOS. I don`t
understand why `klog -setpag` does not work then...
Regards,
Marc