[OpenAFS] Solaris/SunOS 5.8 token sharing

Carson Gaspar carson@taltos.org
Wed, 27 Sep 2006 18:42:44 -0700


--On Wednesday, September 27, 2006 2:25 PM -0700 Russ Allbery 
<rra@stanford.edu> wrote:

> Mike Dopheide <dopheide@ncsa.uiuc.edu> writes:
>
>> OpenSSH 3.9p1 or 4.2p1
>
>> Building a new version of OpenSSH for 5.8 results in an sshd that ends
>> up sharing AFS tokens between users.
>
> Sounds like OpenSSH isn't creating a PAG properly.  Generally this is done
> via PAM modules.  It's possible something changed about how OpenSSH called
> PAM between those versions.

Almost certainly - PAM fixes abound in recent openssh versions. Things to 
try:

- Turn off PrivSep (most likely to fix your problem)
- Test the newly released 4.4p1

The main issue is that PAM must run as root, but most of the opensshd work 
is done in a non-privileged child co-process when PrivSep is enabled for 
security reasons. So some PAM modules just don't work with PrivSep enabled, 
although there have been many improvements recently to make more 
"differently behaved" PAM modules work properly.

-- 
Carson