openssh-2.1.0 and AFS
Dug Song
dugsong at monkey.org
Mon May 15 03:20:28 EST 2000
On Tue, 9 May 2000, Alexander Bergolth wrote:
> Maybe I'm missing something but shouldn't it only get a pag, if
> AFS-token-passing is used?
or if kerberos TGT, or kerberos password authentication is used. in any
case, a PAG is set only if the local machine has AFS enabled.
> If password authentication is used, an AFS-pam-module (or the authenticate
> function on AIX) will do the job, otherwise, no token can be
> obtained and therefore no pag is needed.
a token can be obtained if a Kerberos TGT is passed as well. we don't want
to do a setpag() for every token passed, as a user may pass several tokens
at login (as is common at several large sites, with multiple cells).
> I noticed that because normally root wants to login without a pag, which
> is not possible now.
you'll have to use 'pagsh' for now, the same as if you su'd.
this issue has come up before on the ssh-afs at umich.edu list; i decided not
to special-case UID 0, as there isn't any precedent for this in existing
AFS code, and some people actually rely on token-passing as root.
i'm still not sure what the right behaviour should be - perhaps a new
server config option is in order? we can discuss this further on the
ssh-afs at umich.edu list if you wish...
-d.
---
http://www.monkey.org/~dugsong/
More information about the openssh-unix-dev
mailing list