[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)

John Tang Boyland boyland@solomons.cs.uwm.edu
Thu, 18 Sep 2003 09:51:27 -0500


] John Tang Boyland <boyland@solomons.cs.uwm.edu> writes:
] 
] > I installed the new version of openssh-3.7.1p1 on our Sparc Solaris
] > machines but it no longer seems to correctly get a PAG.
] > (We're using Openafs-1.2.10 with pam_afs from there.)
] > Our pam.conf entry (unchanged from openssh 3.4p1) is
] > 
] > sshd    auth requisite          pam_authtok_get.so.1
] > sshd    auth optional           pam_dhkeys.so.1
] > sshd    auth optional           pam_unix_auth.so.1
] > sshd    auth optional           pam_afs.so.1  try_first_pass  ignore_root
] > 
] > What happens is very interesting:
] > Authentication works in that the AFS password is sufficient
] > to enter the system, but then one gets a PAG assigned
] > arbitrarily from existing PAGs for that user on the machine,
] > and thus one gets the tokens (if any) for that PAG.
] > 
] > (I configured openssh --with-pam but without AFS support -- I'm
] > not trying to do token passing.)
] > 
] This actually seems to be a bug in openssh 2.7.1p1 in conjunction with
] privilege separation enabled. Try to disable it for the sshd and see
] the difference. afaik, there is no patch right now to solve that
] problem for you without disabling privilege separation.

Actually, privilege separation is already turned off.

I'm not trying to use token passing, 
but should I use Owen Le Blanc's patch?

] Christian Pfaffel <flash@itp.tu-graz.ac.at>
] Technische Universität Graz                 Telefon: +43 / 316 / 873 - 81 90
] Institut für Theoretische Physik            Telefax: +43 / 316 / 873 - 86 78
] Petersgasse 16, A-8010 Graz   http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg

John Boyland (boyland@cs.uwm.edu)