[OpenAFS] PAG issues with ssh

[Russ Allbery]

slushpupie@gmail.com writes:

> When sshd starts up from boot time, it has no PAG, so when aklog runs
> the user gets tokens for the whole system. Whlie this is not the ideal
> case, it is sufficent for most things at this time.

> Sometimes, we need to restart sshd (config changes, or whatever). If the
> user who restarts ssh has a PAG, sshd accquires the PAG. Now, whenever a
> user logs in via ssh, they all share the same PAG. So the last user to
> run aklog has the correct tokens, but every other user with that PAG
> also has the tokens. Obviously this is a problem.

Yup, this is the main reason why sshd really needs to put people in a PAG.
Otherwise, you have to be sure to always start sshd outside of a PAG; you
can do that via mechanisms such as "at now", but it's hard to remember.

> The solutions I can think of are this:

> Get sshd to create seperate pag's for each authenticated user. Im sure
> there are patches out there that do this, but since we cant use any
> other part of the AFS patches to ssh, I dont know how hard this will be.

Well, the actual code is very simple (just link with the AFS libraries and
call setpag() at the appropriate point).  You should be able to look at
the AFS code, find the call to setpag(), and just enable only it.

> Remove the PAG of the current user before restarting ssh.  This seems
> the simplest solution, but I cant figure out how to remove a pag if you
> have one. Unlog simply revokes the token, but the PAG is still in tact.

You can't.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>