[OpenAFS] openssh-3.7.1, pam and no token after login

Matthew Hoskins matt@njit.edu
Mon, 15 Mar 2004 11:01:17 -0500


This thread seems to have died...  Did anyone ever find a combination of 
patches/config options that allow a modern version of openssh to get a 
pag+token?

I have tried just about every combination of UsePAM, 
UsePrivilegeSeparation, 3.7p and 3.8p versions.  My platform is solaris 8.

Thanks
-Matt



Jeffrey Hutzelman wrote:

>
>
> On Tuesday, December 16, 2003 03:45:37 +0100 Hendrik Hoeth 
> <hendrik.hoeth@cern.ch> wrote:
>
>> Hi,
>>
>> I've got a small but annoying problem. My configuration is:
>>
>> - openafs-client (plain afs, no third-party kerberos)
>> - openssh-3.7.1
>> - pam
>>
>> When I login via ssh, I won't get a new token (though I can login).  If
>> I then use klog to obtain a token, logout (no unlog), ssh again, I have
>> the token which I got from klog before.
>>
>> This problem appeared after upgrading to openssh-3.7.1, older versions
>> of openssh worked fine.  Any hints?
>
>
> As I understand it, OpenSSH starting in 3.7.0 or 3.7.1 runs PAM 
> session modules in a subprocess, even if privsep is not enabled.  The 
> result is that changes made by these modules, such as establishing a 
> new PAG into which your tokens are placed, are not inherited by your 
> shell.
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
>   Sr. Research Systems Programmer
>   School of Computer Science - Research Computing Facility
>   Carnegie Mellon University - Pittsburgh, PA
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info