search for: pagsh

...Therefore each new `rsync` process will start with a new PAG, and before accessing any files, one must call the `klog` tool to authenticate. However as said above, one can`t use `pre-xfer exec` because that executes after `chdir` which fails. For reference: * https://docs.openafs.org/Reference/1/pagsh.html * https://github.com/openafs/openafs/blob/master/src/sys/setpag.c * `k_setpag` -- http://manpages.ubuntu.com/manpages/bionic/man3/krb_afslog.3.html Other use-cases for such a feature: * as the original poster of the thread from 2008 said, he wanted to mount an encrypted file-system; * one co...

Hi! I've noticed that openssh always does a do_setpag() if compiled with AFS-support no matter which authentication method is used. Maybe I'm missing something but shouldn't it only get a pag, if AFS-token-passing is used? If password authentication is used, an AFS-pam-module (or the authenticate function on AIX) will do the job, otherwise, no token can be obtained and therefore no

Hi, I?m trying to develop a PAM module with OpenSSH, and I realized I need to retrieve something in a later stage that was saved in another previous stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes through PAM auth, account, session, and the session stage is in a different UNIX process from the process where auth and account take place. For the key auth route, auth stage

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two

The native authentication methods of openssh are (not counting insecure RhostsRSAAuthentication) 1) public key 2) password For users with home dirs in AFS space, method 1) does not work. Except with (non foolproof) fiddling on the access controls within the home directory. This might lead to security issues when done by inexperienced users. Without some work, only 2) remains. Being forced to send