On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <[EMAIL PROTECTED]> wrote:
On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
Worse, it would not solve the problem. The trouble here is not that AFS tokens are stored in a kernel data structure instead of a file. It's that they are indexed by a value which must be set on login, inherited from each process by its children, and must not be changeable by the user (to prevent token stealing). OpenSSH loses not because you need special code to set tokens, and not even because you need special code to generate a new PAG -- those things can be done by a PAM module. OpenSSH loses because the PAM session module gets called outside the inheritance chain of the user's shell, which means it can't set a PAG or anything else that is inherited across a fork (e.g. groups, environment variables, resource limits, etc etc etc).
Right. And there is an easy solution: Turn off Privsep.
Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run PAM session modules in a subprocess unrelated to the eventual user shell, regardless of whether privsep is enabled. AFAIK, in earlier versions, it works fine even with privsep, because while such things may be run in a subprocess, they are run in a subprocess that ends up being an ancestor of the user shell.
You can try:
./configure --with-cflags=-DUSE_POSIX_THREADS --with-ldflags=-lpthread
(or whichever library contains threads on your platform) and the PAM authentication code will be run as a thread.
See: http://bugzilla.mindrot.org/show_bug.cgi?id=688
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
OpenAFS-devel mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-devel
