[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)
Charles Clancy
security@xauth.net
Mon, 22 Sep 2003 10:48:00 -0500 (CDT)
Here's why openssh + pam_afs is not working:
1. OpenSSH now has a 2-step process for establishing credentials. The PAM
client in OpenSSH does something like:
pam_authenticate();
pam_setcred(PAM_ESTABLISH_CRED);
initgroups(); <--- PROBLEM!!!
pam_setcred(PAM_REINITIALIZE_CRED);
2. OpenAFS's pam_afs essentially does nothing in the setcred phase if the
REINITIALZE_CRED flag is set.
So, it authenticates, gets the tokens and PAG, but then initgroups kills
your PAG.
Here is a patch for openafs/src/pam/afs_setcred.c that should fix the
problem:
--- src/pam/afs_setcred.c.orig Mon Sep 22 11:44:19 2003
+++ src/pam/afs_setcred.c Mon Sep 22 11:45:06 2003
@@ -173,14 +173,11 @@
pam_afs_syslog(LOG_DEBUG, PAMAFS_DELCRED, user);
RET(PAM_SUCCESS);
+
+#if 0 /* Incompatable with OpenSSH 3.7.1 */
} else if (flags & PAM_REINITIALIZE_CRED) {
if (logmask && LOG_MASK(LOG_DEBUG))
pam_afs_syslog(LOG_DEBUG, PAMAFS_REINITCRED, user);
RET(PAM_SUCCESS);
+#endif
} else { /* flags are PAM_REFRESH_CRED, PAM_ESTABLISH_CRED, unknown
*/
[ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]------[ university of maryland, college park ]