[OpenAFS] PAM problem with 1.4.4 and Linux
Jeff Blaine
jblaine@kickflop.net
Fri, 25 Jan 2008 11:36:56 -0500
ChallengeResponseAuthentication is set to no
Any other ideas?
Simon Wilkinson wrote:
>
> On 25 Jan 2008, at 16:19, Jeff Blaine wrote:
>
>> Hi all, if anyone has any ideas about this, please let me know.
>>
>> * OpenAFS 1.4.4 on Red Hat Enterprise Linux Server release 5
>> * SSHD without privsep
>> * User gets in but has no tokens
>
> See my talk from last years best practices workshop -
> http://workshop.openafs.org/afsbpw07/talks/simon2.pdf
>
> If you're running with ChallengeResponseAuthentication enabled, then SSH
> runs the PAM auth stack in a separate process. Critcially, this process
> doesn't end up being an ancestor of the user's shell which means that
> the shell doesn't inherit the PAG setup by the PAM module. You either
> need to turn off ChallengeResponse (and live with the reductions in PAM
> capability that that entails), or use an AFS PAM module which creates
> the PAG in the session stack.
>
> Cheers,
>
> Simon.
>