[OpenAFS] Re: openssh-3.7.1, pam and no token after login

Hendrik Hoeth hendrik.hoeth@cern.ch
Tue, 16 Dec 2003 23:19:24 +0100

Hi Chris,

Thus spake Christopher Allen Wing (wingc@engin.umich.edu):
> Are you using the OpenAFS pam module?

yes, I am.

> The later versions of openssh with 'privilege separation' enabled seem
> to be doing some interesting things with PAM, like opening the PAM
> handle as root and then later closing it under a different uid, etc.

openssh before 3.7.1 (even with privilege seperation) used to work fine.
The problem that I don't get a token appeared with openssh 3.7.1.

John T. Boyland reported the same problem on Solaris with privsep
disabled some time ago, but he has no solution yet, either.

> We have our own pam module that needed some modifications to work
> properly. I haven't tried the OpenAFS one so I don't know if it is
> broken with newer openssh or not.

May I asked what you changed in your pam module? Are these special
changes for your environment, or could it be useful for me as well?


Fuer jedes Problem gibt es eine Loesung,
die einfach, klar und falsch ist.
(Henry Louis Mencken)