openssh-2.1.0 and AFS

Dug Song dugsong at
Mon May 15 03:20:28 EST 2000

On Tue, 9 May 2000, Alexander Bergolth wrote:

> Maybe I'm missing something but shouldn't it only get a pag, if
> AFS-token-passing is used?

or if kerberos TGT, or kerberos password authentication is used. in any
case, a PAG is set only if the local machine has AFS enabled.

> If password authentication is used, an AFS-pam-module (or the authenticate
> function on AIX) will do the job, otherwise, no token can be
> obtained and therefore no pag is needed.

a token can be obtained if a Kerberos TGT is passed as well. we don't want
to do a setpag() for every token passed, as a user may pass several tokens
at login (as is common at several large sites, with multiple cells).

> I noticed that because normally root wants to login without a pag, which
> is not possible now.

you'll have to use 'pagsh' for now, the same as if you su'd.

this issue has come up before on the ssh-afs at list; i decided not
to special-case UID 0, as there isn't any precedent for this in existing
AFS code, and some people actually rely on token-passing as root.

i'm still not sure what the right behaviour should be - perhaps a new
server config option is in order? we can discuss this further on the
ssh-afs at list if you wish...



More information about the openssh-unix-dev mailing list