[OpenAFS] ssh-3.7.1p2 on linux doesn't set AFS pag - can PAM do it?
Shawn Freebern
smf@btv.ibm.com
Tue, 7 Oct 2003 14:55:04 -0400 (EDT)
I've built the latest openssh (3.7.1p2) on a linux system running the
latest release of openafs. I don't seem to get a token on login unless I
enable -DUSE_POSIX_THREADS (and link -lpthread - see openafs-devel for
more on that topic). My problem now is that sshd doesn't set a PAG on
login - everyone who logs in with ssh shares the latest tokens - and when
any session closes, everyone loses tokens. I have UsePAM enabled and have
the default afs-aware pam.d/sshd.
This is probably due to the decision to remove AFS support from ssh.
openssh-3.7.1p1 has this code in sshd.c:
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
k_setpag();
k_unlog();
}
#endif /* AFS */
The lack of that code would seem to be the problem - sshd is no longer
creating a new PAG. Now, I could add the AFS code back into sshd - but
since the decision has been made to remove AFS support, it seems the
logical action here would be to set the PAG somewhere else - can PAM do
that for me, and if so, how?
As a second question, I noticed somewhere that -DUSE_POSIX_THREADS may
create a security problem - anyone willing to explain what I need to be
aware of there?
Thanks,
Shawn
--
Shawn M. Freebern smf@btv.ibm.com