[OpenAFS] PAG issues with ssh
Garance A Drosihn
drosih@rpi.edu
Thu, 22 Sep 2005 15:53:30 -0400
At 9:24 AM -0500 9/21/05, <slushpupie@gmail.com> wrote:
>
>The problem is this:
>
>When sshd starts up from boot time, it has no PAG, so when aklog
>runs the user gets tokens for the whole system. Whlie this is not
>the ideal case, it is sufficent for most things at this time.
>
>Sometimes, we need to restart sshd (config changes, or whatever).
For this specific case, you should send a HUP signal to the sshd
process. The running sshd will let go of various resources,
launch a brand new copy of itself, and then terminate. The new
sshd process will not have a PAG, because it was started by the
original PAG-less sshd process.
I realize there are times you might have to start sshd (or some
other daemon) because it is not running at all, but for the
specific example of changing sshd_config the above recommendation
is the most obvious solution.
>The solutions I can think of are this:
>
>1) Get sshd to create seperate pag's for each authenticated user.
I suspect this is doable, one way or another...
>2) Remove the PAG of the current user before restarting ssh.
I suspect this is not doable.
I would suggest:
3) Take advantage of some other daemon which is started at boot
time, and thus does not have a PAG. Then have *that* daemon
know how to restart (or start) whatever daemons you need to
be restartable.
--
Garance Alistair Drosehn = gad@gilead.netel.rpi.edu
Senior Systems Programmer or gad@freebsd.org
Rensselaer Polytechnic Institute or drosih@rpi.edu