[OpenAFS] Strange token issues
John Koyle
jkoyle@rfpdepot.com
Mon, 06 Oct 2003 14:17:38 -0600
That makes sense. Running unpagsh and restarting sshd fixed the
problem. Somehow with the recent OpenSSH updates I must have started it
within a PAG.
Thanks for the link to unpagsh.c also.
John
On Mon, 2003-10-06 at 14:06, Christopher Allen Wing wrote:
> I'm guessing that you started sshd inside a PAG. As a result, every login
> session which is started by sshd (i.e. logins) and the 'su' processes
> within them all inherit the same PAG and share the same set of tokens.
>
> (What do you get if you run 'id' within a bob shell or a su to root
> shell?)
>
>
> What I usually try to do is make sure that I am not inside a PAG when
> starting a daemon process as root. Here's a program that will erase any
> current PAG:
>
>
> http://www-personal.engin.umich.edu/~wingc/code/unpagsh.c
>
>
>
> (analogous to 'pagsh')
>
>
>
> Many sites that use AFS also make sure that every login session receives a
> new PAG, to avoid this issue. (The OpenAFS 'pam_afs' module should create
> a new PAG for each login, for instance)
>
>
> -Chris Wing
> wingc@engin.umich.edu
>
>
>
>
> On Mon, 6 Oct 2003, John Koyle wrote:
>
> > ssh to machineA as user bob.
> > kinit/aklog user bob and receive ticket/token.
> >
> > Open a new window on the client and ssh to machineA as user root.
> > Running tokens shows Bob's token!
> >
> > Running unlog in root's terminal removes the token, both for user root
> > and user bob.
> >
> > If I then do a kinit/aklog as root, bob can sees the new token instead
> > of his own!
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info