[OpenAFS] PAM-AFS isn't working with openssh-3.7.1p1 (sun4x_58)
Christian Pfaffel
flash@itp.tu-graz.ac.at
23 Sep 2003 09:53:48 +0200
> > > >
> > > > Here's why openssh + pam_afs is not working:
> > > >
> > > > 1. OpenSSH now has a 2-step process for establishing
> > > > credentials. The PAM
> > > > client in OpenSSH does something like:
> > > >
> > > > pam_authenticate();
> > > > pam_setcred(PAM_ESTABLISH_CRED);
> > > > initgroups(); <--- PROBLEM!!!
> > > > pam_setcred(PAM_REINITIALIZE_CRED);
> > > >
> > > > 2. OpenAFS's pam_afs essentially does nothing in the setcred
> > > > phase if the
> > > > REINITIALZE_CRED flag is set.
> > > >
I don't think that this is the only problem. I had a look at the ssh
sources and made a posting yesterday with a patch. It fixes the
problems i found with my combination of pam_krb5 and pam_aklog.
What happens is that the authentication thread is executed in a
separate thread where only pam_authenticate() is executed. The thread
exits and pam_setcred() does not get executed in the same
thread. Environment variables do not get stored as they should.
Maybe you can take something useful from the patch.
regards
Christian
--
Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg