[OpenAFS] home on afs woes

Russ Allbery rra@stanford.edu
Thu, 12 Jan 2006 16:15:08 -0800

Sergio Gelato <Sergio.Gelato@astro.su.se> writes:

> If you're using privilege separation in OpenSSH, the setpag() that's
> done in the authentication phase may not affect the user session (unless
> they've managed to make that process a descendant of the one in which
> the authentication takes place, or possibly unless the "multithreaded
> sshd" hack is used). It's safer to setpag() in the session establishment
> phase.

In fact, if you're using OpenSSH 4.2 and aren't building with the
(unsupported and strongly discouraged by upstream) threading hack, any
setpag() done in the authentication phase *definitely won't* affect the
user session.  OpenSSH 4.2 spawns a child process to do the PAM calls.
(It's a stupid architecture that breaks all kinds of other things, but I'm
not guessing I'm going to get anywhere with that discussion.)

See Debian bug #342157.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>