Russ had said:
> dont_fork is the most interesting option here to me, since that prevents
> the PAM module from doing the -setpag thing.
Ah. I had noticed:
} else if (strcasecmp(argv[i], "dont_fork") == 0) {
;
in afs_setcred.c, but hadn't bothered to look at afs_auth.c.
Um... Oh. Right. Ye olde duplicated code thing.
There must be a good reason for this.
Right. "dont_fork" is the way this should work.
And yes, "defect 11686" is probably why "dont_fork" isn't
the default. Since afs_setcred does a lot of it anyways, I
don't know if dont_fork is as useful as advertised - how does this stuff
call rx_Finalize() after afs_sm_setcred is invoked? And, right, set_token
does ever so interesting games which are of interest depending on if the
application calls pam_setcred().
I'm not positive, but I believe it's conceivable that sshd + pam is
resulting in calling ka_UserAuthenticateGeneral twice nearly in a row,
possibly with different but interesting options in terms of from which
process & pag the call is made. This might cause interesting timing
windows that might be difficult to duplicate from the command line.
-Marcus Watts
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
