[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)
Douglas E. Engert
deengert@anl.gov
Mon, 22 Sep 2003 19:16:13 -0500
The Solaris man pages say:
The initgroups() function will fail and not change the sup-
plementary group access list if:
EPERM The effective user ID is not super-user.
You test below is not being run as root, and the initgrous may be
failing, which would leave the groups as.
Charles Clancy wrote:
>
> Indeed. I didn't have a system to test with, when I suggested that
> solution. After finding one, when I run:
>
> #include <grp.h>
> #include <sys/types.h>
> #include <afs/param.h>
> main() {
> system("id");
> setpag();
> system("id");
> initgroups("clancy", 100);
> system("id");
> }
>
> I do indeed get:
> uid=100(clancy) gid=100(clancy) groups=100(clancy)
> uid=100(clancy) gid=100(clancy) groups=33536,32512,100(clancy)
> uid=100(clancy) gid=100(clancy) groups=33536,32512,100(clancy)
>
> So I suppose that isn't the problem.
>
> [ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
> [ computer science ]------[ university of maryland, college park ]
>
> On Mon, 22 Sep 2003, Neulinger, Nathan wrote:
>
> > Why is initgroups() killing the pag? It's not supposed to. It should
> > retain those extra groups as part of the syscall replacement.
> >
> > -- Nathan
> >
> > ------------------------------------------------------------
> > Nathan Neulinger EMail: nneul@umr.edu
> > University of Missouri - Rolla Phone: (573) 341-4841
> > UMR Information Technology Fax: (573) 341-4216
> >
> >
> > > -----Original Message-----
> > > From: Charles Clancy [mailto:security@xauth.net]
> > > Sent: Monday, September 22, 2003 10:48 AM
> > > To: John Tang Boyland
> > > Cc: openafs-info@openafs.org
> > > Subject: Re: [OpenAFS] PAM-AFS isn't working with
> > > openssh-3.7.1p1 (sun4x_58)
> > >
> > >
> > > Here's why openssh + pam_afs is not working:
> > >
> > > 1. OpenSSH now has a 2-step process for establishing
> > > credentials. The PAM
> > > client in OpenSSH does something like:
> > >
> > > pam_authenticate();
> > > pam_setcred(PAM_ESTABLISH_CRED);
> > > initgroups(); <--- PROBLEM!!!
> > > pam_setcred(PAM_REINITIALIZE_CRED);
> > >
> > > 2. OpenAFS's pam_afs essentially does nothing in the setcred
> > > phase if the
> > > REINITIALZE_CRED flag is set.
> > >
> > > So, it authenticates, gets the tokens and PAG, but then
> > > initgroups kills
> > > your PAG.
> > >
> > > Here is a patch for openafs/src/pam/afs_setcred.c that should fix the
> > > problem:
> > >
> > > --- src/pam/afs_setcred.c.orig Mon Sep 22 11:44:19 2003
> > > +++ src/pam/afs_setcred.c Mon Sep 22 11:45:06 2003
> > > @@ -173,14 +173,11 @@
> > > pam_afs_syslog(LOG_DEBUG, PAMAFS_DELCRED, user);
> > >
> > > RET(PAM_SUCCESS);
> > > +
> > > +#if 0 /* Incompatable with OpenSSH 3.7.1 */
> > > } else if (flags & PAM_REINITIALIZE_CRED) {
> > >
> > > if (logmask && LOG_MASK(LOG_DEBUG))
> > > pam_afs_syslog(LOG_DEBUG, PAMAFS_REINITCRED, user);
> > > RET(PAM_SUCCESS);
> > > +#endif
> > >
> > > } else { /* flags are PAM_REFRESH_CRED,
> > > PAM_ESTABLISH_CRED, unknown
> > > */
> > >
> > >
> > > [ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
> > > [ computer science ]------[ university of maryland, college park ]
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > >
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> >
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444