Re: [URG] SSH & PAM

From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 02/24/04 

Date: Tue, 24 Feb 2004 11:22:40 +0000 (UTC)

In article <pan.2004.02.23.20.08.59.870577@nowhere.org>,
Sensei <noone@nowhere.org> wrote:
>On Mon, 23 Feb 2004 11:41:59 -0800, Mike Delaney wrote:
>
>> What version of SSH? On what type of system?
>
>OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep
>
>Linux (kernel 2.4.23)
>
>> If myuser's home directory is located in an AFS volume, then this is
>> the behavior you'd expect if myuser doesn't have a valid AFS token.
>> The Unix file permissions are quite meaningless in AFS.
>
>Yes! You're right:
>
>sensei@quantum sensei $ ssh root@plm
>Password:
>Last login: Mon Feb 23 20:58:28 2004 from plmhost
>~ # ssh user@localhost
>AFS Password:
>Last login: Mon Feb 23 21:00:49 2004 from localhost
>/afs/mycell/users/user/.tcsh.config: Permission denied.
>> /usr/afsws/bin/tokens
>
>Tokens held by the Cache Manager:
>
> --End of list--
>>
>
>God!!!!!!!!!
>
>Why?????

Since 3.7p1, OpenSSH's sshd does the PAM authentication in a child of
the privileged sshd. After 3.7.1p2, code was added to export all of
the state set by the PAM modules to that privileged process, which then
forks the shell.

So: try a snapshot of OpenSSH (or 3.8p1, which should be out soon,
possibly by the time you read this).

(I took a look at the code of kpam and the PAG is set in the pam_setcred
call, which is called in the immediate ancestor of the shell). 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages

  • AFS support?
    ... I would like to ask those of you who use AFS and any kind of Secure ... * Are you still using SSH1 with Dug Song's obsolete patches? ... * Do you have a solution for integrating SSH2 with AFS logins on any ... exactly the same way, i.e. internally in ssh. ...
    (SSH)
  • Re: SSH / afs question
    ... > I am using cygwin ssh to log into a linux cluster that uses afs as the ... > file system. ... The problem starts when I try to use RSA authentication. ...
    (comp.security.ssh)
  • [SLE] afs integrated login
    ... when i try to ssh anillal@laila it logs in but giving an error ... AFS Password: ... "There is an appointed time for everything. ... Add photos, events, holidays, whatever. ...
    (SuSE)
  • SSH / afs question
    ... Everything works fine as long as I use password authentication. ... I am neither an ssh nor an afs expert so I have no idea if this ...
    (comp.security.ssh)
  • Re: Please! Kerberos ssh without password
    ... Sensei wrote: ... So noone has made openssh work with pam_krb5 and pam_openafs_session for ...
    (comp.security.ssh)