On Monday 26 January 2004 23:51, Jeffrey Hutzelman wrote: > On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson > <[EMAIL PROTECTED]> > > wrote: > > On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote: > >> Worse, it would not solve the problem. The trouble here is not > >> that AFS tokens are stored in a kernel data structure instead of a > >> file. It's that they are indexed by a value which must be set on > >> login, inherited from each process by its children, and must not > >> be changeable by the user (to prevent token stealing). OpenSSH > >> loses not because you need special code to set tokens, and not > >> even because you need special code to generate a new PAG -- those > >> things can be done by a PAM module. OpenSSH loses because the PAM > >> session module gets called outside the inheritance chain of the > >> user's shell, which means it can't set a PAG or anything else > >> that is inherited across a fork (e.g. groups, environment > >> variables, resource limits, etc etc etc). > > > > Right. And there is an easy solution: Turn off Privsep. > > Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run > PAM session modules in a subprocess unrelated to the eventual user > shell, regardless of whether privsep is enabled. AFAIK, in earlier > versions, it works fine even with privsep, because while such things > may be run in a subprocess, they are run in a subprocess that ends up > being an ancestor of the user shell.
If you have POSIX threads make sure that USE_POSIX_THREADS is defined while compiling auth-pam.c. This work's fine with Linux 2.4 and OpenSSH 3.7.1pl2. Achim -- Scientific Computing Paul Scherrer Institut CH-5232 Villigen _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
