[OpenAFS] PAM problem with 1.4.4 and Linux
Simon Wilkinson
sxw@inf.ed.ac.uk
Fri, 25 Jan 2008 16:33:35 +0000
On 25 Jan 2008, at 16:19, Jeff Blaine wrote:
> Hi all, if anyone has any ideas about this, please let me know.
>
> * OpenAFS 1.4.4 on Red Hat Enterprise Linux Server release 5
> * SSHD without privsep
> * User gets in but has no tokens
See my talk from last years best practices workshop - http://
workshop.openafs.org/afsbpw07/talks/simon2.pdf
If you're running with ChallengeResponseAuthentication enabled, then
SSH runs the PAM auth stack in a separate process. Critcially, this
process doesn't end up being an ancestor of the user's shell which
means that the shell doesn't inherit the PAG setup by the PAM module.
You either need to turn off ChallengeResponse (and live with the
reductions in PAM capability that that entails), or use an AFS PAM
module which creates the PAG in the session stack.
Cheers,
Simon.