[OpenAFS] Solaris 10 (x86): pam_afs_session

Douglas E. Engert deengert@anl.gov
Tue, 26 Feb 2008 15:55:39 -0600

Russ Allbery wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
>> Russ Allbery wrote:
>>> Unless you use the always_aklog option, pam_afs_session will do nothing
>>> unless KRB5CCNAME is set, precisely to avoid picking up old ticket
>>> caches like this using the default ticket cache name.
>> Turns out with the Solaris 10 pam_krb5, KRB5CCNAME is set.
>> For testing I used a script inplace of program=aklog, to dump the args,
>> environment, uid, gid, pid, ppid and groups and tokens before calling
>> aklog.
> Oh, right, I remember this now.  It sets KRB5CCNAME before it writes out
> the ticket cache.  Sigh.
> Okay, I'll also add to the documentation that pam_afs_session should not
> be run from the session stack on Solaris, only the auth stack.

Accept for the PAM service of ssh-gssapi, it should be run in session,
as there is no PAM auth.



  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444