[OpenAFS] Solaris 10 11/06 afs 1.4.2 pam module panic.

Marcus Watts mdw@umich.edu
Mon, 18 Dec 2006 21:46:37 -0500

Russ had said:
> dont_fork is the most interesting option here to me, since that prevents
> the PAM module from doing the -setpag thing.

Ah.  I had noticed:
	        } else if (strcasecmp(argv[i], "dont_fork") == 0) {
in afs_setcred.c, but hadn't bothered to look at afs_auth.c.

Um...  Oh.  Right.  Ye olde duplicated code thing.
There must be a good reason for this.
Right.  "dont_fork" is the way this should work.
And yes, "defect 11686" is probably why "dont_fork" isn't
the default.  Since afs_setcred does a lot of it anyways, I
don't know if dont_fork is as useful as advertised - how does this stuff
call rx_Finalize() after afs_sm_setcred is invoked?  And, right, set_token
does ever so interesting games which are of interest depending on if the
application calls pam_setcred().

I'm not positive, but I believe it's conceivable that sshd + pam is
resulting in calling ka_UserAuthenticateGeneral twice nearly in a row,
possibly with different but interesting options in terms of from which
process & pag the call is made.  This might cause interesting timing
windows that might be difficult to duplicate from the command line.

				-Marcus Watts