pam issues - was Re: [OpenAFS] Is OpenAFS appropriate?

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 21 Jan 2004 16:37:25 -0500


On Wednesday, January 21, 2004 11:16:20 -0600 John Tang Boyland 
<boyland@solomons.cs.uwm.edu> wrote:

> Just wanted to point out that (open)sshd doesn't work well with PAM/AFS.
> Like you said, you have to klog again after logging on, even after
> using PAM for AFS login.
>
> This has been reported off and on in openafs-info since openssh 3.7.1
>
> It happens because sshd loses the PAG for the login shell.  This means
> that next time you log on (if it's within 25 hours), you will still
> have your tokens which makes sftp etc better than useless.

It's worse than that.  Starting with OpenSSH 3.7.1, pam session modules are 
run in a separate subprocess which is not in the inheritance chain for the 
user's shell.  This happens even if privilege separation is not enabled. 
The result is that obtaining a new PAG and setting tokens are both done in 
this subprocess which is then thrown away.  So you don't get a new PAG, and 
you don't get tokens, and there's basically nothing the PAM module 
maintainer can do about it.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA