[OpenAFS] PAG issues with ssh

Douglas E. Engert deengert@anl.gov
Wed, 21 Sep 2005 13:19:36 -0500 

slushpupie@gmail.com wrote:

> Im having some issues with PAG's and ssh on the systems I manage. They
> are all Linux (Debian Sarge) with OpenAFS 1.3.81.  We must use the
> kerberos with SecurID, which puts many kinks in the way authentication
> works, but those have all been worked out. sshd only allows
> authentication via kerberos, and users home directories are in afs, so
> sshrc runs aklog as per the examples out there.
> 
> The problem is this:
> 
> When sshd starts up from boot time, it has no PAG, so when aklog runs
> the user gets tokens for the whole system. Whlie this is not the ideal
> case, it is sufficent for most things at this time.
> 
> Sometimes, we need to restart sshd (config changes, or whatever). If
> the user who restarts ssh has a PAG, sshd accquires the PAG. Now,
> whenever a user logs in via ssh, they all share the same PAG. So the
> last user to run aklog has the correct tokens, but every other user
> with that PAG also has the tokens. Obviously this is a problem.
> 
> The solutions I can think of are this:
> 
> Get sshd to create seperate pag's for each authenticated user. Im sure
> there are patches out there that do this, but since we cant use any
> other part of the AFS patches to ssh, I dont know how hard this will
> be.
> 
> Remove the PAG of the current user before restarting ssh.  This seems
> the simplest solution, but I cant figure out how to remove a pag if
> you have one. Unlog simply revokes the token, but the PAG is still in
> tact.
> 
> Any thoughts or ideas on this?
> 

Another solution is to use PAM to get the PAG and token. See other
posts on this list on how this can be done, for both gssapi and
when ssh calls kerberos.

> 
> --
> Jay Kline
> http://www.slushpupie.com/
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444