openssh-2.1.0 and AFS
Alexander Bergolth
leo at strike.wu-wien.ac.at
Wed May 10 03:00:46 EST 2000
Hi!
I've noticed that openssh always does a do_setpag() if compiled with
AFS-support no matter which authentication method is used.
Maybe I'm missing something but shouldn't it only get a pag, if
AFS-token-passing is used?
If password authentication is used, an AFS-pam-module (or the authenticate
function on AIX) will do the job, otherwise, no token can be
obtained and therefore no pag is needed.
I noticed that because normally root wants to login without a pag, which
is not possible now.
I attached a small patch, that moves the do_setpag-part from
do_authentication to the afs-token-passing section of do_authloop, maybe
you'll find that useful.
cheers,
--leo
-----------------------------------------------------------------------
Alexander (Leo) Bergolth leo at leo.wu-wien.ac.at
WU-Wien - Zentrum fuer Informatikdienste http://leo.wu-wien.ac.at
Info Center
Computers are like air conditioners -
they stop working properly when you open Windows
-------------- next part --------------
--- auth1.c.orig Tue May 9 16:28:50 2000
+++ auth1.c Tue May 9 17:38:13 2000
@@ -183,6 +183,11 @@
/* Accept AFS token. */
char *token_string = packet_get_string(&dlen);
packet_integrity_check(plen, 4 + dlen, type);
+ /* If machine has AFS, set process authentication group. */
+ if (k_hasafs()) {
+ k_setpag();
+ k_unlog();
+ }
if (!auth_afs_token(pw, token_string))
verbose("AFS token REFUSED for %s", pw->pw_name);
xfree(token_string);
@@ -441,14 +446,6 @@
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
setproctitle("%s", user);
-
-#ifdef AFS
- /* If machine has AFS, set process authentication group. */
- if (k_hasafs()) {
- k_setpag();
- k_unlog();
- }
-#endif /* AFS */
/* Verify that the user is a valid user. */
pw = getpwnam(user);
More information about the openssh-unix-dev
mailing list