Russ Allbery wrote:
Douglas E Engert <[EMAIL PROTECTED]> writes:
Rather then having to modify ssh to swap the order of the
calls to pam_setcred and pam_open_session, you could look at
using one of the pam_afs module that will get the token and PAG
during the pam_setcred. For example the pam_openafs_session.so
module can be called from "auth" and it will get the token
during pam_setcred.
pam_openafs_session.so relies on aklog -setpag, which is what sparked this
whole discussion. That functionality appears to have broken with the
latest kernels and the latest OpenAFS. I had one report that it started
working again after reverting the kernel module to 1.4.2-fc3 and one
report that that didn't help.
-setpag is, as Jeff points out, living on borrowed time. It may be
possible to fix this; I don't know the Linux kernel internals well enough
to tell you. However, the best solution is to switch to a PAM module that
creates a PAG through a direct system call during open_session or setcred.
OK, that is what pam_afs2.so does. It basicly uses the proc_afs_syscall
from sys/glue.c:
rval = proc_afs_syscall(AFSCALL_SETPAG,0,0,0,0,&ret);
glue.c or glue.o could be included/linked in.
Or go one step up, to lsetpag.c that calls the proc_afs_syscall
on Linux.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
