pam issues - was Re: [OpenAFS] Is OpenAFS appropriate?
Matthew Andrews
matt@slackers.net
Wed, 21 Jan 2004 14:14:42 -0800
oops, sent this to jhutz, but missed the list.
could we have an option to the pam module that caused it to do the same
thing as "klog -setpag" so that the pag of the parent process gets
updated? I'm not sure how klog does this, so I'm not sure under what
cirumstances(IE what priveleges etc.) this can be done.
thoughts?
-Matt
Jeffrey Hutzelman wrote:
> On Wednesday, January 21, 2004 11:16:20 -0600 John Tang Boyland
> <boyland@solomons.cs.uwm.edu> wrote:
>
>> Just wanted to point out that (open)sshd doesn't work well with PAM/AFS.
>> Like you said, you have to klog again after logging on, even after
>> using PAM for AFS login.
>>
>> This has been reported off and on in openafs-info since openssh 3.7.1
>>
>> It happens because sshd loses the PAG for the login shell. This means
>> that next time you log on (if it's within 25 hours), you will still
>> have your tokens which makes sftp etc better than useless.
>
>
> It's worse than that. Starting with OpenSSH 3.7.1, pam session
> modules are run in a separate subprocess which is not in the
> inheritance chain for the user's shell. This happens even if
> privilege separation is not enabled. The result is that obtaining a
> new PAG and setting tokens are both done in this subprocess which is
> then thrown away. So you don't get a new PAG, and you don't get
> tokens, and there's basically nothing the PAM module maintainer can do
> about it.
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>