On 16 Nov 2007, at 19:44, Russ Allbery wrote:
pam_afs doen't work properly with ssh because it tries to do all of
its
work in the auth stack instead of using the session stack to set up
tokens.
I talked about this at the last AFS BPW. Basically, OpenSSH normally
performs the PAM auth step from a process that doesn't own the
eventual shell (in fact, the process is spawned specifically to
perform the authentication, and then is killed as soon as
authentication is complete). There's some diagrams of this at http://
workshop.openafs.org/afsbpw07/talks/simon2.pdf
I suspect that you may be able to get this to work with some versions
of OpenSSH by disabling the ChallengeResponse option - although this
limits the types of PAM interaction that you can perform.
Cheers,
Simon.
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
