[OpenAFS] openssh-3.7.1, pam and no token after login

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 17 Dec 2003 12:19:00 -0500

On Tuesday, December 16, 2003 03:45:37 +0100 Hendrik Hoeth 
<hendrik.hoeth@cern.ch> wrote:

> Hi,
> I've got a small but annoying problem. My configuration is:
> - openafs-client (plain afs, no third-party kerberos)
> - openssh-3.7.1
> - pam
> When I login via ssh, I won't get a new token (though I can login).  If
> I then use klog to obtain a token, logout (no unlog), ssh again, I have
> the token which I got from klog before.
> This problem appeared after upgrading to openssh-3.7.1, older versions
> of openssh worked fine.  Any hints?

As I understand it, OpenSSH starting in 3.7.0 or 3.7.1 runs PAM session 
modules in a subprocess, even if privsep is not enabled.  The result is 
that changes made by these modules, such as establishing a new PAG into 
which your tokens are placed, are not inherited by your shell.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA