[OpenAFS] Hijacking a PAG
Christof Hanke
hanke@rzg.mpg.de
Tue, 20 Mar 2007 17:59:08 +0200
Hi,
just one (or three) question(s) out of curiosity :
Why don't you operate on the krb5-ticket-level?
Wouldn't that be easier (and more portable to other systems) ?
Any specific reason for that ?
Christof
Andreas Haupt wrote:
> Hi Derek, hi Chas,
>
> On Tue, 20 Mar 2007, chas williams - CONTRACTOR wrote:
>
>> In message <Pine.LNX.4.64.0703200757060.2150@fuchur.ifh.de>,Andreas
>> Haupt write
>> s:
>>> I can have full access to the PAG environment SGE has created. How can I
>>> "transfer" the PAG now to a second "virgin" environment. As an example I
>>> have two sessions and I want the second session to be in the same PAG as
>>> the first session:
>>
>> you can't. you will note that the key/pag doesnt allow you to read it.
>> this was intentional. i dont know much about SGE. how did qrsh
>> (or the shepherd) create the new session keyring? a pam module?
>
> It's calling pagsh.krb (or any other program you want).
>
> But ok, I've found the delinquent: pam_keyinit.so. It's configured with
> the force flag by default in /etc/pam.d/sshd which removes all existent
> sessions.
>
> session optional pam_keyinit.so force revoke
>
> Changing it to
>
> session optional pam_keyinit.so revoke
>
> does the trick. SGE's PAG environment won't get destroyed any more. Thanks.
>
> Andreas
>