Rather then having to modify ssh to swap the order of the
calls to pam_setcred and pam_open_session, you could look at
using one of the pam_afs module that will get the token and PAG
during the pam_setcred. For example the pam_openafs_session.so
module can be called from "auth" and it will get the token
during pam_setcred.
Dean Anderson wrote:
BTW, there are a couple more things to add in the FAQ on this:
You must set in /etc/ssh/sshd_config:
UsePrivilegeSeparation no
You must also remember to add -lpthread to openssh build.
I tested this with openssh4.0p1, along with a previously described patch
to swap the order of calls to pam_setcred and pam_open_session. Seems
to work.
I will put a patch and a source src.RPM up at
http://www.av8.net/SOURCES/openssh-4.0p1-av8.patch
http://www.av8.net/SRPMS/openssh-4.0p1-1av8.src.rpm
Feel free to link.
Thanks,
--Dean
On Mon, 30 Oct 2006, Dean Anderson wrote:
On Mon, 30 Oct 2006, Jeffrey Hutzelman wrote:
On Monday, October 30, 2006 01:56:16 AM -0500 Dean Anderson <[EMAIL PROTECTED]>
wrote:
I see that openssh is _still_ doing a pam_open_session before
pam_setcred, but having changed that in openssh (4.0p1), it still
doesn't work. Pam module gets called--I can see the syslog'd debug
messages when I add "debug", but I get no credentials on login.
This list is for development discussion, not "please tell me how to make it
work". As such, you should expect to find messages in the archive which
propose solutions to a problem that don't actually help you. Sometimes
that's because the proposed solution is wrong, and sometimes it's because
the topic at hand is quite complex, and what looks like the same problem
may not be. Similarly, "try this" does not mean "this will make your
problem go away"; it means "try this and let me know whether it works".
I understand all the issues you mention about development. However,
developers who solve problems but don't tell anyone about the solutions
so found, haven't really solved a problem.
When you recompiled openssh, did you use -DUSE_POSIX_THREADS? (*) If
not, then sshd is going to run the AFS PAM module in a subprocess,
where it has no ability to provide you with tokens. This is a
fundamental flaw in the way OpenSSH handles PAM modules, not a bug in
OpenAFS.
That would be helpful to put in a FAQ, somewhere easily found. In fact,
I'll be happy to provide url to a patch and src.rpm for openssh that you
can add to the FAQ on this subject.
Regarding 'bug in OpenAFS', lots of things are not "bug in <x>", but are
solved by <x> in some way (maybe a patch, maybe just a FAQ), because,
obviously, sometimes <x> isn't very useful without it.
But, thanks for the clues. I do appreciate it.
If you built with -DUSE_POSIX_THREADS and still have a problem, then
please provide details like the exact versions of openafs and sshd you
are using, any patches you've applied, the OS version and
architecture, and the contents of the relevant PAM config files and
log files.
I thought I did that: fedora core 4 comes with a particular linux
kernel, glibc, compilers, and other configuration and environment. I
stated openafs 1.4.2, build from the openafs.org distributed src.rpm,
and openssh 4.0p1, as distributed with fc4 and rebuilt as described.
Since I specified all the updates I made, there are no other updates
from the fc4 stock.
Thanks again for the clues.
--Dean
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
