[OpenAFS] Hijacking a PAG
Tue, 20 Mar 2007 17:59:08 +0200
just one (or three) question(s) out of curiosity :
Why don't you operate on the krb5-ticket-level?
Wouldn't that be easier (and more portable to other systems) ?
Any specific reason for that ?
Andreas Haupt wrote:
> Hi Derek, hi Chas,
> On Tue, 20 Mar 2007, chas williams - CONTRACTOR wrote:
>> In message <Pine.LNX.email@example.com>,Andreas
>> Haupt write
>>> I can have full access to the PAG environment SGE has created. How can I
>>> "transfer" the PAG now to a second "virgin" environment. As an example I
>>> have two sessions and I want the second session to be in the same PAG as
>>> the first session:
>> you can't. you will note that the key/pag doesnt allow you to read it.
>> this was intentional. i dont know much about SGE. how did qrsh
>> (or the shepherd) create the new session keyring? a pam module?
> It's calling pagsh.krb (or any other program you want).
> But ok, I've found the delinquent: pam_keyinit.so. It's configured with
> the force flag by default in /etc/pam.d/sshd which removes all existent
> session optional pam_keyinit.so force revoke
> Changing it to
> session optional pam_keyinit.so revoke
> does the trick. SGE's PAG environment won't get destroyed any more. Thanks.