bugzilla-daemon at mindrot.org
2003-Sep-25 16:58 UTC
[Bug 717] AFS tokens are not generated upon login
http://bugzilla.mindrot.org/show_bug.cgi?id=717
Summary: AFS tokens are not generated upon login
Product: Portable OpenSSH
Version: -current
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: IDKaufman at lbl.gov
OpenSSH versions 3.7p1 through 3.7.1p2 on Solaris 2.6 and Solaris 8.
Solaris 8 Kernel patched to 108528-19 (cannot patch higher due to AFS issue)
Solaris 2.6 Kernel patched to 105181-35
Prior to upgrading from OpenSSH 3.6, if OpenSSH was compiled with
the following flags:
./configure --with-pam --with-xauth=/usr/openwin/bin/xauth --with-tcp-wrappers
--with-ssl-directory=/usr/local/ssl
users could log into their machines via OpenSSH, and through PAM, an AFS
token would be generated. After upgrading OpenSSH, tokens are no longer
generated, and users must run klog to authenticate to AFS.
Please contact me if you need more information. This issue has been
discussed at OpenAFS as well:
https://lists.openafs.org/pipermail/openafs-info/2003-September/010738.html
Thanks for your time and consideration,
Ian
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 23:42 UTC
[Bug 717] AFS tokens are not generated upon login
http://bugzilla.mindrot.org/show_bug.cgi?id=717 ------- Additional Comments From djm at mindrot.org 2003-09-27 09:42 ------- Does this token get passed by way of an environment variable? Right now, the new PAM code doesn't export environment variables set by the authentication subprocess. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-27 01:19 UTC
[Bug 717] AFS tokens are not generated upon login
http://bugzilla.mindrot.org/show_bug.cgi?id=717 ------- Additional Comments From djm at mindrot.org 2003-09-27 11:19 ------- Created an attachment (id=472) --> (http://bugzilla.mindrot.org/attachment.cgi?id=472&action=view) Try to export environment from PAM authentication subprocess This (quick, untested) patch tries to export the PAM environment from the authentication child to the master process. I have no idea whether or not it works, as I have no PAM modules that set environment variables during the auth phase. Also, I was unsure whether all PAM modules pass their environment using PAM's internal envrionment API or using the standard unix **environ. To be paranoid I pass both :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-30 20:28 UTC
[Bug 717] AFS tokens are not generated upon login
http://bugzilla.mindrot.org/show_bug.cgi?id=717 ------- Additional Comments From IDKaufman at lbl.gov 2003-10-01 06:28 ------- Damien, Your patch did not seem to work. We believe that it is not an environment issue, but something in the way the password is passed around in the PAM modules. By changing the local password so that it differs from the AFS password, normal behavior would indicate that if the AFS password is entered, PAM would react appropriately, and AFS would authenticate the user correctly. Currently, the user is immediately rejected from login. We are going to test the latest OpenAFS client to see if we can get better behavior. Please let me know if there are some traces you would like, or other dumps. Truss hasn't proven too enlightening so far. Thanks for your efforts, Ian ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Oct-01 13:13 UTC
[Bug 717] AFS tokens are not generated upon login
http://bugzilla.mindrot.org/show_bug.cgi?id=717 ------- Additional Comments From picasso at madflower.com 2003-10-01 23:13 ------- Created an attachment (id=476) --> (http://bugzilla.mindrot.org/attachment.cgi?id=476&action=view) output of sshd -d -d -d The AFS token is missing. It will authenticate but it either doesn't set or it loses the token in the process. This is both the client side and server side output with pam_afs, ssh 3.7.1p2 with the listed patch applied, compiled with egcs on Solaris 8 ( it also didn't seem to work compiled with gcc 2.95.x) I haven't tried it under the 3.2.x version of gcc or solaris CC or under Linux. I don't believe it is a compiler issue though. I have a sneaky suspician the afs token is getting set to the process but it swtiches from process (priv separation?) to which the token was attached and appears to not be set when it was just destroyed by the process switch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Oct-02 17:48 UTC
[Bug 717] AFS tokens are not generated upon login
http://bugzilla.mindrot.org/show_bug.cgi?id=717 ------- Additional Comments From IDKaufman at lbl.gov 2003-10-03 03:48 ------- I tested with privsep off. No change. I am going to build a 32 bit machine to see if it is a 32 vs. 64 bit issue. Ian ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.