[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)

Neulinger, Nathan nneul@umr.edu
Mon, 22 Sep 2003 12:22:04 -0500


Why is initgroups() killing the pag? It's not supposed to. It should
retain those extra groups as part of the syscall replacement.=20

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
UMR Information Technology             Fax: (573) 341-4216


> -----Original Message-----
> From: Charles Clancy [mailto:security@xauth.net]=20
> Sent: Monday, September 22, 2003 10:48 AM
> To: John Tang Boyland
> Cc: openafs-info@openafs.org
> Subject: Re: [OpenAFS] PAM-AFS isn't working with=20
> openssh-3.7.1p1 (sun4x_58)
>=20
>=20
> Here's why openssh + pam_afs is not working:
>=20
> 1. OpenSSH now has a 2-step process for establishing=20
> credentials.  The PAM
>    client in OpenSSH does something like:
>=20
>    pam_authenticate();
>    pam_setcred(PAM_ESTABLISH_CRED);
>    initgroups();  <--- PROBLEM!!!
>    pam_setcred(PAM_REINITIALIZE_CRED);
>=20
> 2. OpenAFS's pam_afs essentially does nothing in the setcred=20
> phase if the
>    REINITIALZE_CRED flag is set.
>=20
> So, it authenticates, gets the tokens and PAG, but then=20
> initgroups kills
> your PAG.
>=20
> Here is a patch for openafs/src/pam/afs_setcred.c that should fix the
> problem:
>=20
> --- src/pam/afs_setcred.c.orig  Mon Sep 22 11:44:19 2003
> +++ src/pam/afs_setcred.c       Mon Sep 22 11:45:06 2003
> @@ -173,14 +173,11 @@
>         pam_afs_syslog(LOG_DEBUG, PAMAFS_DELCRED, user);
>=20
>         RET(PAM_SUCCESS);
> +
> +#if 0  /* Incompatable with OpenSSH 3.7.1 */
>      } else if (flags & PAM_REINITIALIZE_CRED) {
>=20
>        if (logmask && LOG_MASK(LOG_DEBUG))
>          pam_afs_syslog(LOG_DEBUG, PAMAFS_REINITCRED, user);
>          RET(PAM_SUCCESS);
> +#endif
>=20
>      } else { /* flags are PAM_REFRESH_CRED,=20
> PAM_ESTABLISH_CRED, unknown
> */
>=20
>=20
> [ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
> [ computer science ]------[ university of maryland, college park ]
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20