[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)

John Tang Boyland boyland@solomons.cs.uwm.edu
Thu, 18 Sep 2003 10:10:41 -0500


On Wed, 17 Sep 2003, Derrick J Brashear wrote:
] On Wed, 17 Sep 2003, John Tang Boyland wrote:
] >
] > What happens is very interesting:
] > Authentication works in that the AFS password is sufficient
] > to enter the system, but then one gets a PAG assigned
] > arbitrarily from existing PAGs for that user on the machine,
] > and thus one gets the tokens (if any) for that PAG.
] 
] That seems unlikely.
]
] What does "groups" say?

Indeed!  Here is an example.
Notice that on pabst I have PAG 33536 32554,
and then start up a new PAG shell ($) with PAG 33536 32584.
I klog for this new PAG and then ssh to my own machine.
It picks up the old PAG (and thus has tokens), but the tokens
aren't new -- they're the old tokens -- notice how they
expire sooner than the $ obtained tokens.

(NB: I have kdestroy in my .logout -- but not unlog.
Until the KerbIV problems were discovered I was using aklog for
KerbIV cross-realm authentication.)

John
P.S. If convenient, please reply to me personally as well as the list
     since I get it in digest form.

pabst.cs 23 % groups
33536 32554 boyland cs252 cs252ta cs654 cs654ta cs754 cs754ta cs790ta cs552 cs552ta CSfac
pabst.cs 24 % pagsh
$ groups
33536 32584 boyland cs252 cs252ta cs654 cs654ta cs754 cs754ta cs790ta cs552 cs552ta CSfac
$ klog
Password:
$ ssh pabst.cs.uwm.edu
Password: 
Last login: Wed Sep 17 18:05:37 2003 from out-of-the-box.
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
msgs: Command not found
pabst.cs 1 % groups
33536 32554 boyland cs252 cs252ta cs654 cs654ta cs754 cs754ta cs790ta cs552 cs552ta CSfac
pabst.cs 2 % tokens

Tokens held by the Cache Manager:

User's (AFS ID 920) tokens for afs@cs.uwm.edu [Expires Sep 19 11:01]
   --End of list--
pabst.cs 3 % exit
pabst.cs 4 % logout
No tickets to destroy.
Connection to pabst.cs.uwm.edu closed.
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 920) tokens for afs@cs.uwm.edu [Expires Sep 19 11:30]
   --End of list--
$ unlog
$ exit
pabst.cs 25 % tokens

Tokens held by the Cache Manager:

User's (AFS ID 920) tokens for afs@cs.uwm.edu [Expires Sep 19 11:01]
   --End of list--
pabst.cs 26 %