[OpenAFS] Solaris/SunOS 5.8 token sharing
Wed, 27 Sep 2006 18:42:44 -0700
--On Wednesday, September 27, 2006 2:25 PM -0700 Russ Allbery
> Mike Dopheide <firstname.lastname@example.org> writes:
>> OpenSSH 3.9p1 or 4.2p1
>> Building a new version of OpenSSH for 5.8 results in an sshd that ends
>> up sharing AFS tokens between users.
> Sounds like OpenSSH isn't creating a PAG properly. Generally this is done
> via PAM modules. It's possible something changed about how OpenSSH called
> PAM between those versions.
Almost certainly - PAM fixes abound in recent openssh versions. Things to
- Turn off PrivSep (most likely to fix your problem)
- Test the newly released 4.4p1
The main issue is that PAM must run as root, but most of the opensshd work
is done in a non-privileged child co-process when PrivSep is enabled for
security reasons. So some PAM modules just don't work with PrivSep enabled,
although there have been many improvements recently to make more
"differently behaved" PAM modules work properly.