[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)

Christian Pfaffel flash@itp.tu-graz.ac.at
18 Sep 2003 10:48:49 +0200

John Tang Boyland <boyland@solomons.cs.uwm.edu> writes:

> I installed the new version of openssh-3.7.1p1 on our Sparc Solaris
> machines but it no longer seems to correctly get a PAG.
> (We're using Openafs-1.2.10 with pam_afs from there.)
> Our pam.conf entry (unchanged from openssh 3.4p1) is
> sshd    auth requisite          pam_authtok_get.so.1
> sshd    auth optional           pam_dhkeys.so.1
> sshd    auth optional           pam_unix_auth.so.1
> sshd    auth optional           pam_afs.so.1  try_first_pass  ignore_root
> What happens is very interesting:
> Authentication works in that the AFS password is sufficient
> to enter the system, but then one gets a PAG assigned
> arbitrarily from existing PAGs for that user on the machine,
> and thus one gets the tokens (if any) for that PAG.
> (I configured openssh --with-pam but without AFS support -- I'm
> not trying to do token passing.)
This actually seems to be a bug in openssh 2.7.1p1 in conjunction with
privilege separation enabled. Try to disable it for the sshd and see
the difference. afaik, there is no patch right now to solve that
problem for you without disabling privilege separation.


Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz                 Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik            Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz   http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg