[OpenAFS] token oddities under Linux

Marc Schmitt schmitt@inf.ethz.ch
Thu, 25 Jul 2002 23:54:48 +0200


Hi Tino,

Tino Schwarze wrote:

 > Are you sure that there wasn't a token left over from your other
 > tries?

I`ll give you the benefit of the doubt. ;)

 > Try the following:
 >
 > ssh to B unlog tokens

bash-2.05a$ unlog
bash-2.05a$ tokens

Tokens held by the Cache Manager:

    --End of list--

 > klog -setpag tokens

bash-2.05a$ klog mschmitt -setpag
Password:
bash-2.05a$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 27240) tokens for afs@ethz.ch [Expires Jul 27 00:37]
    --End of list--


 >
 > And in second terminal:
 >
 > ssh to B tokens

[root@respect root]# tokens

Tokens held by the Cache Manager:

    --End of list--


 > su $user

[root@respect root]# su - mschmitt
bash-2.05a$

 > tokens

bash-2.05a$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 27240) tokens for afs@ethz.ch [Expires Jul 27 00:37]
    --End of list--


 >
 > What do you get?

Judging by your first question, you don`t believe what I get, do you? In 
other words, you`ve never seen that effect on your Linux boxes??? I 
can`t belive that. I wasn`t aware that this supposedly should not happen 
till today when I mentioned to our SunOS Admins that I recommended one 
of our Linux users to use the pagsh, so that root can`t take over the 
users` token. To my astonishment (and to theirs, too), indeed the 
behavior is completely different.

One thing I`ve noticed so far is that if I use pam_afs under Linux to 
create a token at login (in system-auth), the tokens are in a PAG. 
Meaning, `su $user` will not give you the token of $user and every ssh 
session to the machine will create its own token (easy to check by the 
expiration date).
But on a Linux machine w/o pam_afs, it (mis)behaves exactly as I 
described above. Afaik pam_afs does NOT use klog (unless you explicitly 
configure it with use_klog). I tried pam_afs with use_klog and it works 
fine, the tokens are in a PAG, exactly like under SunOS. I don`t 
understand why `klog -setpag` does not work then...



Regards,
	Marc