[OpenAFS] PAG issues with ssh

Garance A Drosihn drosih@rpi.edu
Thu, 22 Sep 2005 15:53:30 -0400

At 9:24 AM -0500 9/21/05, <slushpupie@gmail.com> wrote:
>The problem is this:
>When sshd starts up from boot time, it has no PAG, so when aklog
>runs the user gets tokens for the whole system. Whlie this is not
>the ideal case, it is sufficent for most things at this time.
>Sometimes, we need to restart sshd (config changes, or whatever).

For this specific case, you should send a HUP signal to the sshd
process.  The running sshd will let go of various resources,
launch a brand new copy of itself, and then terminate.  The new
sshd process will not have a PAG, because it was started by the
original PAG-less sshd process.

I realize there are times you might have to start sshd (or some
other daemon) because it is not running at all, but for the
specific example of changing sshd_config the above recommendation
is the most obvious solution.

>The solutions I can think of are this:
>1) Get sshd to create seperate pag's for each authenticated user.

I suspect this is doable, one way or another...

>2) Remove the PAG of the current user before restarting ssh.

I suspect this is not doable.

I would suggest:

3) Take advantage of some other daemon which is started at boot
    time, and thus does not have a PAG.  Then have *that* daemon
    know how to restart (or start) whatever daemons you need to
    be restartable.

Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu