[OpenAFS] PAG issues with ssh

slushpupie@gmail.com slushpupie@gmail.com
Wed, 21 Sep 2005 13:32:14 -0500

On 9/21/05, Douglas E. Engert <deengert@anl.gov> wrote:
> Another solution is to use PAM to get the PAG and token. See other
> posts on this list on how this can be done, for both gssapi and
> when ssh calls kerberos.

Unfortunately we cant do that with our version of kerberos and ssh.

Also, I should point out that this problem exists for any deamon
process that users have access to.  Take cron, for example.  If I
restart crond, and have a PAG, crond has that same PAG now.  If Im an
AFS admin, any user who runs a cron job now has my afs privileges (for
the lifetime of that token, anyway). So this can have some pretty
serious consequences if precautions are not taken. It seems the most
universal and safe way to deal with it would be to have some utility
to drop the PAG, if that is at all possible.

Jay Kline