[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)
Charles Clancy
security@xauth.net
Mon, 22 Sep 2003 18:06:02 -0500 (CDT)
Indeed. I didn't have a system to test with, when I suggested that
solution. After finding one, when I run:
#include <grp.h>
#include <sys/types.h>
#include <afs/param.h>
main() {
system("id");
setpag();
system("id");
initgroups("clancy", 100);
system("id");
}
I do indeed get:
uid=100(clancy) gid=100(clancy) groups=100(clancy)
uid=100(clancy) gid=100(clancy) groups=33536,32512,100(clancy)
uid=100(clancy) gid=100(clancy) groups=33536,32512,100(clancy)
So I suppose that isn't the problem.
[ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]------[ university of maryland, college park ]
On Mon, 22 Sep 2003, Neulinger, Nathan wrote:
> Why is initgroups() killing the pag? It's not supposed to. It should
> retain those extra groups as part of the syscall replacement.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul@umr.edu
> University of Missouri - Rolla Phone: (573) 341-4841
> UMR Information Technology Fax: (573) 341-4216
>
>
> > -----Original Message-----
> > From: Charles Clancy [mailto:security@xauth.net]
> > Sent: Monday, September 22, 2003 10:48 AM
> > To: John Tang Boyland
> > Cc: openafs-info@openafs.org
> > Subject: Re: [OpenAFS] PAM-AFS isn't working with
> > openssh-3.7.1p1 (sun4x_58)
> >
> >
> > Here's why openssh + pam_afs is not working:
> >
> > 1. OpenSSH now has a 2-step process for establishing
> > credentials. The PAM
> > client in OpenSSH does something like:
> >
> > pam_authenticate();
> > pam_setcred(PAM_ESTABLISH_CRED);
> > initgroups(); <--- PROBLEM!!!
> > pam_setcred(PAM_REINITIALIZE_CRED);
> >
> > 2. OpenAFS's pam_afs essentially does nothing in the setcred
> > phase if the
> > REINITIALZE_CRED flag is set.
> >
> > So, it authenticates, gets the tokens and PAG, but then
> > initgroups kills
> > your PAG.
> >
> > Here is a patch for openafs/src/pam/afs_setcred.c that should fix the
> > problem:
> >
> > --- src/pam/afs_setcred.c.orig Mon Sep 22 11:44:19 2003
> > +++ src/pam/afs_setcred.c Mon Sep 22 11:45:06 2003
> > @@ -173,14 +173,11 @@
> > pam_afs_syslog(LOG_DEBUG, PAMAFS_DELCRED, user);
> >
> > RET(PAM_SUCCESS);
> > +
> > +#if 0 /* Incompatable with OpenSSH 3.7.1 */
> > } else if (flags & PAM_REINITIALIZE_CRED) {
> >
> > if (logmask && LOG_MASK(LOG_DEBUG))
> > pam_afs_syslog(LOG_DEBUG, PAMAFS_REINITCRED, user);
> > RET(PAM_SUCCESS);
> > +#endif
> >
> > } else { /* flags are PAM_REFRESH_CRED,
> > PAM_ESTABLISH_CRED, unknown
> > */
> >
> >
> > [ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
> > [ computer science ]------[ university of maryland, college park ]
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>