Im having some issues with PAG's and ssh on the systems I manage. They
are all Linux (Debian Sarge) with OpenAFS 1.3.81. We must use the
kerberos with SecurID, which puts many kinks in the way authentication
works, but those have all been worked out. sshd only allows
authentication via kerberos, a
[EMAIL PROTECTED] wrote:
Im having some issues with PAG's and ssh on the systems I manage. They
are all Linux (Debian Sarge) with OpenAFS 1.3.81. We must use the
kerberos with SecurID, which puts many kinks in the way authentication
works, but those have all been worked out. sshd only allows
On 9/21/05, Douglas E. Engert <[EMAIL PROTECTED]> wrote:
> Another solution is to use PAM to get the PAG and token. See other
> posts on this list on how this can be done, for both gssapi and
> when ssh calls kerberos.
Unfortunately we cant do that with our version of kerberos and ssh.
Also, I sh
It seems the most
universal and safe way to deal with it would be to have some utility
to drop the PAG, if that is at all possible.
Why not acquire a new pag with no tokens when you start a service? That's
what I do.
___
OpenAFS-info mailing list
[EMAIL PROTECTED] writes:
> When sshd starts up from boot time, it has no PAG, so when aklog runs
> the user gets tokens for the whole system. Whlie this is not the ideal
> case, it is sufficent for most things at this time.
> Sometimes, we need to restart sshd (config changes, or whatever). If t
Jim Rees <[EMAIL PROTECTED]> writes:
> Why not acquire a new pag with no tokens when you start a service?
> That's what I do.
That's what I do too, but the PAG is still inherited by all processes
started by that service. So, in the case of cron, if you have users who
obtain AFS tokens in cron jo
On 9/21/05, Jim Rees <[EMAIL PROTECTED]> wrote:
> It seems the most
> universal and safe way to deal with it would be to have some utility
> to drop the PAG, if that is at all possible.
>
> Why not acquire a new pag with no tokens when you start a service? That's
> what I do.
Because as soo
At 9:24 AM -0500 9/21/05, <[EMAIL PROTECTED]> wrote:
The problem is this:
When sshd starts up from boot time, it has no PAG, so when aklog
runs the user gets tokens for the whole system. Whlie this is not
the ideal case, it is sufficent for most things at this time.
Sometimes, we need to resta