[OpenAFS] Strange token issues
Christopher Allen Wing
wingc@engin.umich.edu
Mon, 6 Oct 2003 16:06:24 -0400 (EDT)
I'm guessing that you started sshd inside a PAG. As a result, every login
session which is started by sshd (i.e. logins) and the 'su' processes
within them all inherit the same PAG and share the same set of tokens.
(What do you get if you run 'id' within a bob shell or a su to root
shell?)
What I usually try to do is make sure that I am not inside a PAG when
starting a daemon process as root. Here's a program that will erase any
current PAG:
http://www-personal.engin.umich.edu/~wingc/code/unpagsh.c
(analogous to 'pagsh')
Many sites that use AFS also make sure that every login session receives a
new PAG, to avoid this issue. (The OpenAFS 'pam_afs' module should create
a new PAG for each login, for instance)
-Chris Wing
wingc@engin.umich.edu
On Mon, 6 Oct 2003, John Koyle wrote:
> ssh to machineA as user bob.
> kinit/aklog user bob and receive ticket/token.
>
> Open a new window on the client and ssh to machineA as user root.
> Running tokens shows Bob's token!
>
> Running unlog in root's terminal removes the token, both for user root
> and user bob.
>
> If I then do a kinit/aklog as root, bob can sees the new token instead
> of his own!