BTW, there are a couple more things to add in the FAQ on this: You must set in /etc/ssh/sshd_config: UsePrivilegeSeparation no
You must also remember to add -lpthread to openssh build. I tested this with openssh4.0p1, along with a previously described patch to swap the order of calls to pam_setcred and pam_open_session. Seems to work. I will put a patch and a source src.RPM up at http://www.av8.net/SOURCES/openssh-4.0p1-av8.patch http://www.av8.net/SRPMS/openssh-4.0p1-1av8.src.rpm Feel free to link. Thanks, --Dean On Mon, 30 Oct 2006, Dean Anderson wrote: > On Mon, 30 Oct 2006, Jeffrey Hutzelman wrote: > > > On Monday, October 30, 2006 01:56:16 AM -0500 Dean Anderson <[EMAIL > > PROTECTED]> > > wrote: > > > > > I see that openssh is _still_ doing a pam_open_session before > > > pam_setcred, but having changed that in openssh (4.0p1), it still > > > doesn't work. Pam module gets called--I can see the syslog'd debug > > > messages when I add "debug", but I get no credentials on login. > > > > This list is for development discussion, not "please tell me how to make it > > work". As such, you should expect to find messages in the archive which > > propose solutions to a problem that don't actually help you. Sometimes > > that's because the proposed solution is wrong, and sometimes it's because > > the topic at hand is quite complex, and what looks like the same problem > > may not be. Similarly, "try this" does not mean "this will make your > > problem go away"; it means "try this and let me know whether it works". > > I understand all the issues you mention about development. However, > developers who solve problems but don't tell anyone about the solutions > so found, haven't really solved a problem. > > > When you recompiled openssh, did you use -DUSE_POSIX_THREADS? (*) If > > not, then sshd is going to run the AFS PAM module in a subprocess, > > where it has no ability to provide you with tokens. This is a > > fundamental flaw in the way OpenSSH handles PAM modules, not a bug in > > OpenAFS. > > That would be helpful to put in a FAQ, somewhere easily found. In fact, > I'll be happy to provide url to a patch and src.rpm for openssh that you > can add to the FAQ on this subject. > > Regarding 'bug in OpenAFS', lots of things are not "bug in <x>", but are > solved by <x> in some way (maybe a patch, maybe just a FAQ), because, > obviously, sometimes <x> isn't very useful without it. > > But, thanks for the clues. I do appreciate it. > > > If you built with -DUSE_POSIX_THREADS and still have a problem, then > > please provide details like the exact versions of openafs and sshd you > > are using, any patches you've applied, the OS version and > > architecture, and the contents of the relevant PAM config files and > > log files. > > I thought I did that: fedora core 4 comes with a particular linux > kernel, glibc, compilers, and other configuration and environment. I > stated openafs 1.4.2, build from the openafs.org distributed src.rpm, > and openssh 4.0p1, as distributed with fc4 and rebuilt as described. > Since I specified all the updates I made, there are no other updates > from the fc4 stock. > > Thanks again for the clues. > > --Dean > > > -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
