[OpenAFS] Hijacking a PAG

Andreas Haupt ahaupt@ifh.de
Tue, 20 Mar 2007 16:33:33 +0100 (CET)

Hi Derek, hi Chas,

On Tue, 20 Mar 2007, chas williams - CONTRACTOR wrote:

> In message <Pine.LNX.4.64.0703200757060.2150@fuchur.ifh.de>,Andreas Haupt write
> s:
>> I can have full access to the PAG environment SGE has created. How can I
>> "transfer" the PAG now to a second "virgin" environment. As an example I
>> have two sessions and I want the second session to be in the same PAG as
>> the first session:
> you can't.  you will note that the key/pag doesnt allow you to read it.
> this was intentional.   i dont know much about SGE.  how did qrsh
> (or the shepherd) create the new session keyring?  a pam module?

It's calling pagsh.krb (or any other program you want).

But ok, I've found the delinquent: pam_keyinit.so. It's configured with 
the force flag by default in /etc/pam.d/sshd which removes all existent 

session    optional     pam_keyinit.so force revoke

Changing it to

session    optional     pam_keyinit.so revoke

does the trick. SGE's PAG environment won't get destroyed any more. 


| Andreas Haupt                | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen                | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6             | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen             | Fax:    +49/33762/7-7216