[OpenAFS] PAG issues with ssh

slushpupie@gmail.com slushpupie@gmail.com
Wed, 21 Sep 2005 09:24:55 -0500

Im having some issues with PAG's and ssh on the systems I manage. They
are all Linux (Debian Sarge) with OpenAFS 1.3.81.  We must use the
kerberos with SecurID, which puts many kinks in the way authentication
works, but those have all been worked out. sshd only allows
authentication via kerberos, and users home directories are in afs, so
sshrc runs aklog as per the examples out there.

The problem is this:

When sshd starts up from boot time, it has no PAG, so when aklog runs
the user gets tokens for the whole system. Whlie this is not the ideal
case, it is sufficent for most things at this time.

Sometimes, we need to restart sshd (config changes, or whatever). If
the user who restarts ssh has a PAG, sshd accquires the PAG. Now,
whenever a user logs in via ssh, they all share the same PAG. So the
last user to run aklog has the correct tokens, but every other user
with that PAG also has the tokens. Obviously this is a problem.

The solutions I can think of are this:

Get sshd to create seperate pag's for each authenticated user. Im sure
there are patches out there that do this, but since we cant use any
other part of the AFS patches to ssh, I dont know how hard this will

Remove the PAG of the current user before restarting ssh.  This seems
the simplest solution, but I cant figure out how to remove a pag if
you have one. Unlog simply revokes the token, but the PAG is still in

Any thoughts or ideas on this?

Jay Kline