[OpenAFS] Hijacking a PAG
Tue, 20 Mar 2007 16:33:33 +0100 (CET)
Hi Derek, hi Chas,
On Tue, 20 Mar 2007, chas williams - CONTRACTOR wrote:
> In message <Pine.LNX.firstname.lastname@example.org>,Andreas Haupt write
>> I can have full access to the PAG environment SGE has created. How can I
>> "transfer" the PAG now to a second "virgin" environment. As an example I
>> have two sessions and I want the second session to be in the same PAG as
>> the first session:
> you can't. you will note that the key/pag doesnt allow you to read it.
> this was intentional. i dont know much about SGE. how did qrsh
> (or the shepherd) create the new session keyring? a pam module?
It's calling pagsh.krb (or any other program you want).
But ok, I've found the delinquent: pam_keyinit.so. It's configured with
the force flag by default in /etc/pam.d/sshd which removes all existent
session optional pam_keyinit.so force revoke
Changing it to
session optional pam_keyinit.so revoke
does the trick. SGE's PAG environment won't get destroyed any more.
| Andreas Haupt | E-Mail: email@example.com
| DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216