[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)

Douglas E. Engert deengert@anl.gov
Thu, 18 Sep 2003 11:28:59 -0500


John Tang Boyland wrote:
> 
> ] Perchance did you do something like run sshd in one of your existing PAGs?
> 
> Yes, that would explain that behavior.
> So I have rebooted the machine so sshd starts outside of a PAG.
> 
> But I still have the basic problem that ssh apparently uses PAM enough that
> it uses my AFS password to log me on, but doesn't get a PAG, or
> retain the AFS keys:  (Presumably the tokens were allocated for a new
> PAG, but then the new PAG was lost.  In my experience with CDE session
> problems, this is caused by "incorrect" usage of PAM: the
> authentication is done in a sub-process.  Any change the openssh people
> will be sympathetic to this problem?)

A PAG can be set in a number of ways. The -setpag option to some commands
can be used to set the PAG of the parent of the calling process. (but the setpag
does not work on all systems or releases of AFS.)   

The PAG for the current process can also be set using a syscall. This
can be done without having to link any AFS libraries and so is useful
from a PAM exit for example. 

Here is code snipit taked from the gssklog code which is called from a PAM
before the gssklog is called. We also use a similiar piece of code if
used with aklog.   

  
    32  /*
    33   * the -setpag does not work on AIX or SGI
    34   * So get a PAG here otherwise use the -setpag option
    35   * of the gssklog which will set the PAG of this process
    36   * It also fails on Solaris 5.9
    37   */
    38
    39
    40  /* flag = 1 says get a PAG */
    41      if (flag == 1) {
    42  #if defined(TARGET_ARCH_IRIX)
    43          syscall(1065,0,0,0,0,0,0); /* AFS PAG */
    44  #elif defined(TARGET_ARCH_SOLARIS)
    45          {
    46              char buf[256];
    47              long buf_len;
    48              buf_len = 256;
    49              afs_syscall = 105;
    50              if (sysinfo(SI_RELEASE,buf, buf_len) > 0) {
    51                       if (!strcmp(buf,"5.6"))  afs_syscall = 105;
    52                  else if (!strcmp(buf,"5.7"))  afs_syscall = 73;
    53                  else if (!strcmp(buf,"5.8"))  afs_syscall = 65;
    54                  else if (!strcmp(buf,"5.9"))  afs_syscall = 65;
    55              }
    56          syscall(65, afs_syscall,0,0,0,0,0);
    57          }
    58  #elif defined(TARGET_ARCH_AIX)
    59          if (!apagaix) {
    60              apagaix = load(apagaix_exec,0,0);
    61          }
    62          if (apagaix) {
    63              (*apagaix)();
    64          }
    65  #endif
    66      }


> 
> John
> 
> pabst.cs 5 % groups
> 33536 32512 boyland cs252 cs252ta cs654 cs654ta cs754 cs754ta cs790ta cs552 cs552ta CSfac
> pabst.cs 6 % tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 920) tokens for afs@cs.uwm.edu [Expires Sep 19 12:16]
>    --End of list--
> pabst.cs 7 % ssh pabst.cs.uwm.edu
> Password:
> Last login: Thu Sep 18 10:51:51 2003 from pabst.cs.uwm.ed
> Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
> Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
> You have new mail.
> pabst.cs 1 % tokens
> 
> Tokens held by the Cache Manager:
> 
>    --End of list--
> pabst.cs 2 % groups
> boyland cs252 cs252ta cs654 cs654ta cs754 cs754ta cs790ta cs552 cs552ta CSfac
> pabst.cs 3 %
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444