--On Friday, November 16, 2007 08:10:30 PM +0000 Simon Wilkinson
<[EMAIL PROTECTED]> wrote:
I talked about this at the last AFS BPW. Basically, OpenSSH normally
performs the PAM auth step from a process that doesn't own the eventual
shell (in fact, the process is spawned specifically to perform the
authentication, and then is killed as soon as authentication is
complete). There's some diagrams of this at
http://workshop.openafs.org/afsbpw07/talks/simon2.pdf
I suspect that you may be able to get this to work with some versions of
OpenSSH by disabling the ChallengeResponse option - although this limits
the types of PAM interaction that you can perform.
I believe mainstream OpenSSH uses PAM only for keyboard-interactive and
never for password. Patches are available which make it use PAM in both
cases. I believe Debian ships with such a patch, but I don't know about
other distributions.
You can work around this behavior by building OpenSSH with
-DUNSUPPORTED_POSIX_THREADS_HACK, which causes it to run pam_authenticate
in a thread instead of a completely separate process. As the name
suggests, this is not something they support, but we've found it to work
quite well.
-- Jeff
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
