[OpenAFS] Solaris/SunOS 5.8 token sharing
Russ Allbery
rra@stanford.edu
Wed, 27 Sep 2006 19:17:53 -0700
Carson Gaspar <carson@taltos.org> writes:
> Almost certainly - PAM fixes abound in recent openssh versions. Things
> to try:
> - Turn off PrivSep (most likely to fix your problem)
> - Test the newly released 4.4p1
Note that privilege separation is fine provided that the PAG is created in
your session module. The problem comes with PAM modules that create the
PAG during authentication (such as the K4 PAM module that comes with
OpenAFS), which really isn't correct given the semantics of PAM anyway.
OpenSSH will run the session module at the right place for PAG semantics
to work properly.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>