[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)
Christian Pfaffel
flash@itp.tu-graz.ac.at
18 Sep 2003 10:48:49 +0200
John Tang Boyland <boyland@solomons.cs.uwm.edu> writes:
> I installed the new version of openssh-3.7.1p1 on our Sparc Solaris
> machines but it no longer seems to correctly get a PAG.
> (We're using Openafs-1.2.10 with pam_afs from there.)
> Our pam.conf entry (unchanged from openssh 3.4p1) is
>
> sshd auth requisite pam_authtok_get.so.1
> sshd auth optional pam_dhkeys.so.1
> sshd auth optional pam_unix_auth.so.1
> sshd auth optional pam_afs.so.1 try_first_pass ignore_root
>
> What happens is very interesting:
> Authentication works in that the AFS password is sufficient
> to enter the system, but then one gets a PAG assigned
> arbitrarily from existing PAGs for that user on the machine,
> and thus one gets the tokens (if any) for that PAG.
>
> (I configured openssh --with-pam but without AFS support -- I'm
> not trying to do token passing.)
>
This actually seems to be a bug in openssh 2.7.1p1 in conjunction with
privilege separation enabled. Try to disable it for the sshd and see
the difference. afaik, there is no patch right now to solve that
problem for you without disabling privilege separation.
regards,
Christian
--
Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg