Pending OpenSSH release, call for testing.
Douglas E. Engert
deengert at anl.gov
Tue Aug 17 08:42:52 EST 2004
Darren Tucker wrote:
> Hi All.
> OpenSSH is getting ready for a release soon, so we are asking for
> all interested parties to test a snapshot.
>
The call to ssh_gssapi_krb5_storecreds() will call do_pam_putenv() to add
the KRB5CCNAME to the PAM environment. But this call is too late
to be useful for any PAM modules.
The call to ssh_gssapi_storecreds needs to be moved from
the do_exec to the do_setusercontext before the call to do_pam_session.
If this is done, I can remove the last of my local changes from OpenSSH.
This change was to call to a routine to get an AFS PAG and token using
the Kerberos cache obtained by either GSSAPI, Krb5 or PAM.
I have this working as a PAM session routine on Solaris.
This would also mean that eventually the USE_AFS code could also be
dropped as this can be done by PAM. It also takes away the pressure
of trying to get OS vendors to compile OpenSSH with USE_AFS, thus
making it easier to use OpenSSH and OpenAFS using the vendor's
supplied OPenSSH executables.
Attached is a modification to move the ssh_gssapi_storecreds call.
I can submit this as a bug if needed.
Thanks.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: session.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040816/ad8b31b2/attachment.ksh
More information about the openssh-unix-dev
mailing list