[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)
John Tang Boyland
boyland@solomons.cs.uwm.edu
Thu, 18 Sep 2003 09:51:27 -0500
] John Tang Boyland <boyland@solomons.cs.uwm.edu> writes:
]
] > I installed the new version of openssh-3.7.1p1 on our Sparc Solaris
] > machines but it no longer seems to correctly get a PAG.
] > (We're using Openafs-1.2.10 with pam_afs from there.)
] > Our pam.conf entry (unchanged from openssh 3.4p1) is
] >
] > sshd auth requisite pam_authtok_get.so.1
] > sshd auth optional pam_dhkeys.so.1
] > sshd auth optional pam_unix_auth.so.1
] > sshd auth optional pam_afs.so.1 try_first_pass ignore_root
] >
] > What happens is very interesting:
] > Authentication works in that the AFS password is sufficient
] > to enter the system, but then one gets a PAG assigned
] > arbitrarily from existing PAGs for that user on the machine,
] > and thus one gets the tokens (if any) for that PAG.
] >
] > (I configured openssh --with-pam but without AFS support -- I'm
] > not trying to do token passing.)
] >
] This actually seems to be a bug in openssh 2.7.1p1 in conjunction with
] privilege separation enabled. Try to disable it for the sshd and see
] the difference. afaik, there is no patch right now to solve that
] problem for you without disabling privilege separation.
Actually, privilege separation is already turned off.
I'm not trying to use token passing,
but should I use Owen Le Blanc's patch?
] Christian Pfaffel <flash@itp.tu-graz.ac.at>
] Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90
] Institut für Theoretische Physik Telefax: +43 / 316 / 873 - 86 78
] Petersgasse 16, A-8010 Graz http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg
John Boyland (boyland@cs.uwm.edu)