[OpenAFS] token oddities under Linux

Derek Atkins warlord@MIT.EDU
25 Jul 2002 18:13:14 -0400


What do you get from 'id' before and after you run 'klog -setpag'?

-derek

Marc Schmitt <schmitt@inf.ethz.ch> writes:

> Hi Tino,
> 
> Tino Schwarze wrote:
> 
>  > Are you sure that there wasn't a token left over from your other
>  > tries?
> 
> I`ll give you the benefit of the doubt. ;)
> 
>  > Try the following:
>  >
>  > ssh to B unlog tokens
> 
> bash-2.05a$ unlog
> bash-2.05a$ tokens
> 
> Tokens held by the Cache Manager:
> 
>     --End of list--
> 
>  > klog -setpag tokens
> 
> bash-2.05a$ klog mschmitt -setpag
> Password:
> bash-2.05a$ tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 27240) tokens for afs@ethz.ch [Expires Jul 27 00:37]
>     --End of list--
> 
> 
>  >
>  > And in second terminal:
>  >
>  > ssh to B tokens
> 
> [root@respect root]# tokens
> 
> Tokens held by the Cache Manager:
> 
>     --End of list--
> 
> 
>  > su $user
> 
> [root@respect root]# su - mschmitt
> bash-2.05a$
> 
>  > tokens
> 
> bash-2.05a$ tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 27240) tokens for afs@ethz.ch [Expires Jul 27 00:37]
>     --End of list--
> 
> 
>  >
>  > What do you get?
> 
> Judging by your first question, you don`t believe what I get, do you?
> In other words, you`ve never seen that effect on your Linux boxes??? I
> can`t belive that. I wasn`t aware that this supposedly should not
> happen till today when I mentioned to our SunOS Admins that I
> recommended one of our Linux users to use the pagsh, so that root
> can`t take over the users` token. To my astonishment (and to theirs,
> too), indeed the behavior is completely different.
> 
> One thing I`ve noticed so far is that if I use pam_afs under Linux to
> create a token at login (in system-auth), the tokens are in a
> PAG. Meaning, `su $user` will not give you the token of $user and
> every ssh session to the machine will create its own token (easy to
> check by the expiration date).
> But on a Linux machine w/o pam_afs, it (mis)behaves exactly as I
> described above. Afaik pam_afs does NOT use klog (unless you
> explicitly configure it with use_klog). I tried pam_afs with use_klog
> and it works fine, the tokens are in a PAG, exactly like under
> SunOS. I don`t understand why `klog -setpag` does not work then...
> 
> 
> 
> Regards,
> 	Marc
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available