[OpenAFS] PAM problem with 1.4.4 and Linux

Simon Wilkinson sxw@inf.ed.ac.uk
Fri, 25 Jan 2008 16:33:35 +0000

On 25 Jan 2008, at 16:19, Jeff Blaine wrote:

> Hi all, if anyone has any ideas about this, please let me know.
> * OpenAFS 1.4.4 on Red Hat Enterprise Linux Server release 5
> * SSHD without privsep
> * User gets in but has no tokens

See my talk from last years best practices workshop - http:// 

If you're running with ChallengeResponseAuthentication enabled, then  
SSH runs the PAM auth stack in a separate process. Critcially, this  
process doesn't end up being an ancestor of the user's shell which  
means that the shell doesn't inherit the PAG setup by the PAM module.  
You either need to turn off ChallengeResponse (and live with the  
reductions in PAM capability that that entails), or use an AFS PAM  
module which creates the PAG in the session stack.