On 31 Oct 2006, at 01:14, Jeffrey Hutzelman wrote:
When you recompiled openssh, did you use -DUSE_POSIX_THREADS? (*)
If not, then sshd is going to run the AFS PAM module in a
subprocess, where it has no ability to provide you with tokens.
This is a fundamental flaw in the way OpenSSH handles PAM modules,
not a bug in OpenAFS.
OpenSSH, without POSIX_THREADS, will work with AFS, providing you use
an AFS PAM module which creates the PAG as part of the session or
setcred sections - we use Doug Engerts pam_afs2 here, which works
fine. You need to do this, anyway, if you want to get AFS credentials
following a successful GSSAPI authentication.
The POSIX_THREADS hack appears to be being deprecated in the OpenSSH
codebase - it's now renamed USE_UNSUPPORTED_POSIX_THREADS_HACK.
[ The issue is that OpenSSH's complex 'monitor' system means that the
authentication sections of the PAM stack are run within a process
which has no relationship to the process eventually used to spawn the
shell ]
Cheers,
Simon.
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
