openssh-2.1.0 and AFS

[Alexander Bergolth]

Hi!

I've noticed that openssh always does a do_setpag() if compiled with
AFS-support no matter which authentication method is used.

Maybe I'm missing something but shouldn't it only get a pag, if
AFS-token-passing is used?
If password authentication is used, an AFS-pam-module (or the authenticate
function on AIX) will do the job, otherwise, no token can be
obtained and therefore no pag is needed.

I noticed that because normally root wants to login without a pag, which
is not possible now.

I attached a small patch, that moves the do_setpag-part from
do_authentication to the afs-token-passing section of do_authloop, maybe
you'll find that useful.

cheers,
--leo

-----------------------------------------------------------------------
Alexander (Leo) Bergolth                          leo at leo.wu-wien.ac.at
WU-Wien - Zentrum fuer Informatikdienste       http://leo.wu-wien.ac.at
Info Center
                 Computers are like air conditioners -
           they stop working properly when you open Windows
-------------- next part --------------
--- auth1.c.orig	Tue May  9 16:28:50 2000
+++ auth1.c	Tue May  9 17:38:13 2000
@@ -183,6 +183,11 @@
 				/* Accept AFS token. */
 				char *token_string = packet_get_string(&dlen);
 				packet_integrity_check(plen, 4 + dlen, type);
+				/* If machine has AFS, set process authentication group. */
+				if (k_hasafs()) {
+					k_setpag();
+					k_unlog();
+				}
 				if (!auth_afs_token(pw, token_string))
 					verbose("AFS token REFUSED for %s", pw->pw_name);
 				xfree(token_string);
@@ -441,14 +446,6 @@
 	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
 
 	setproctitle("%s", user);
-
-#ifdef AFS
-	/* If machine has AFS, set process authentication group. */
-	if (k_hasafs()) {
-		k_setpag();
-		k_unlog();
-	}
-#endif /* AFS */
 
 	/* Verify that the user is a valid user. */
 	pw = getpwnam(user);