Douglas E Engert <[EMAIL PROTECTED]> writes: > Rather then having to modify ssh to swap the order of the > calls to pam_setcred and pam_open_session, you could look at > using one of the pam_afs module that will get the token and PAG > during the pam_setcred. For example the pam_openafs_session.so > module can be called from "auth" and it will get the token > during pam_setcred.
pam_openafs_session.so relies on aklog -setpag, which is what sparked this whole discussion. That functionality appears to have broken with the latest kernels and the latest OpenAFS. I had one report that it started working again after reverting the kernel module to 1.4.2-fc3 and one report that that didn't help. -setpag is, as Jeff points out, living on borrowed time. It may be possible to fix this; I don't know the Linux kernel internals well enough to tell you. However, the best solution is to switch to a PAM module that creates a PAG through a direct system call during open_session or setcred. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
