[93] in athena10
Re: PAM, schroot, and debathenificator
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Feb 22 13:44:10 2008
From: Greg Hudson <ghudson@MIT.EDU>
To: Timothy G Abbott <tabbott@mit.edu>
Cc: athena10@mit.edu
In-Reply-To: <Pine.LNX.4.64L.0802221333320.17684@vinegar-pot.mit.edu>
Content-Type: text/plain
Date: Fri, 22 Feb 2008 13:43:37 -0500
Message-Id: <1203705817.6804.3.camel@error-messages.mit.edu>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
On Fri, 2008-02-22 at 13:38 -0500, Timothy G Abbott wrote:
> I wonder whether this PAM behavior is a bug in schroot. Unlike most
> applications of PAM, here the PAM session modules are being run when
> entering the chroot from the host machine, whereas normally they should be
> run when logging into the machine. It certainly results in problems in
> our case, and I'm not sure what utility it is providing... perhaps they
> intended to run the PAM from inside the chroot?
Not sure. I don't have a solid grasp on PAM semantics, but it does seem
wrong to create a login session outside the chroot for this purpose.
> I suspect an alternative workaround would be to cause schroot to pass the
> KRB5CCNAME environment variable into the chroot, so that we get new
> tokens on schroot.
I'm not sure this would work for me since I need dev cell tokens.
