[OpenAFS] Solaris 10 11/06 afs 1.4.2 pam module panic.
Marcus Watts
mdw@umich.edu
Mon, 18 Dec 2006 21:46:37 -0500
Russ had said:
> dont_fork is the most interesting option here to me, since that prevents
> the PAM module from doing the -setpag thing.
Ah. I had noticed:
} else if (strcasecmp(argv[i], "dont_fork") == 0) {
;
in afs_setcred.c, but hadn't bothered to look at afs_auth.c.
Um... Oh. Right. Ye olde duplicated code thing.
There must be a good reason for this.
Right. "dont_fork" is the way this should work.
And yes, "defect 11686" is probably why "dont_fork" isn't
the default. Since afs_setcred does a lot of it anyways, I
don't know if dont_fork is as useful as advertised - how does this stuff
call rx_Finalize() after afs_sm_setcred is invoked? And, right, set_token
does ever so interesting games which are of interest depending on if the
application calls pam_setcred().
I'm not positive, but I believe it's conceivable that sshd + pam is
resulting in calling ka_UserAuthenticateGeneral twice nearly in a row,
possibly with different but interesting options in terms of from which
process & pag the call is made. This might cause interesting timing
windows that might be difficult to duplicate from the command line.
-Marcus Watts