openssh unix dev - May 2000 - openssh-2.1.0 and AFS

Hi!

I've noticed that openssh always does a do_setpag() if compiled with
AFS-support no matter which authentication method is used.

Maybe I'm missing something but shouldn't it only get a pag, if
AFS-token-passing is used?
If password authentication is used, an AFS-pam-module (or the authenticate
function on AIX) will do the job, otherwise, no token can be
obtained and therefore no pag is needed.

I noticed that because normally root wants to login without a pag, which
is not possible now.

I attached a small patch, that moves the do_setpag-part from
do_authentication to the afs-token-passing section of do_authloop, maybe
you'll find that useful.

cheers,
--leo

-----------------------------------------------------------------------
Alexander (Leo) Bergolth                          leo at leo.wu-wien.ac.at
WU-Wien - Zentrum fuer Informatikdienste       http://leo.wu-wien.ac.at
Info Center
                 Computers are like air conditioners -
           they stop working properly when you open Windows
-------------- next part --------------
--- auth1.c.orig	Tue May  9 16:28:50 2000
+++ auth1.c	Tue May  9 17:38:13 2000
@@ -183,6 +183,11 @@
 				/* Accept AFS token. */
 				char *token_string = packet_get_string(&dlen);
 				packet_integrity_check(plen, 4 + dlen, type);
+				/* If machine has AFS, set process authentication group. */
+				if (k_hasafs()) {
+					k_setpag();
+					k_unlog();
+				}
 				if (!auth_afs_token(pw, token_string))
 					verbose("AFS token REFUSED for %s", pw->pw_name);
 				xfree(token_string);
@@ -441,14 +446,6 @@
 	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
 
 	setproctitle("%s", user);
-
-#ifdef AFS
-	/* If machine has AFS, set process authentication group. */
-	if (k_hasafs()) {
-		k_setpag();
-		k_unlog();
-	}
-#endif /* AFS */
 
 	/* Verify that the user is a valid user. */
 	pw = getpwnam(user);

On Tue, 9 May 2000, Alexander Bergolth wrote:
> Maybe I'm missing something but shouldn't it only get a pag, if
> AFS-token-passing is used?
or if kerberos TGT, or kerberos password authentication is used. in any
case, a PAG is set only if the local machine has AFS enabled.
> If password authentication is used, an AFS-pam-module (or the authenticate
> function on AIX) will do the job, otherwise, no token can be
> obtained and therefore no pag is needed.
a token can be obtained if a Kerberos TGT is passed as well. we don't want
to do a setpag() for every token passed, as a user may pass several tokens
at login (as is common at several large sites, with multiple cells).
> I noticed that because normally root wants to login without a pag, which
> is not possible now.
you'll have to use 'pagsh' for now, the same as if you su'd.

this issue has come up before on the ssh-afs at umich.edu list; i decided not
to special-case UID 0, as there isn't any precedent for this in existing
AFS code, and some people actually rely on token-passing as root.

i'm still not sure what the right behaviour should be - perhaps a new
server config option is in order? we can discuss this further on the
ssh-afs at umich.edu list if you wish...

-d.

---
http://www.monkey.org/~dugsong/