[OpenAFS] Re: Kerberos V and xscreensaver/xlock

29 Oct 2002 12:07:38 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles Clancy <security@xauth.net> writes:

> On 28 Oct 2002, Christian Pfaffel wrote:
> >
> > Is there a way to configure a standard xscreensaver/xlock to
> > renew/replace the kerberos V ticket and obtain a newer AFS token, so
> > that I will always have a valid token to access my AFS homespace.
> 
> Just use pam_krb5 for authentication; that should get you a new TGT.
> 
> Then, pam_openafs-session should be able to get you a new token.  You need
> to have pam_openafs-session NOT get a new PAG for you, otherwise that new
> token will die with xscreensaver.  I'm not sure if there's an option to do
> that or not.  If not, it should be added.
> 

I do not even get the TGT if I authenticate to xlock | xscreensaver. I
have the following lines in my /etc/pam.d/system-auth:

...
auth        sufficient    /lib/security/pam_krb5afs.so debug tokens forwardable use_first_pass
...
session     optional      /lib/security/pam_openafs_session.so
...

I tried it with pam_krb5.so as well:
auth        sufficient    /lib/security/pam_krb5.so debug forwardable use_first_pass

It never does renew my TGT. klist befor and after xlock show the same
expiration times for it.

:-(

Christian

- -- 
PGP-Key: http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>

iD8DBQE9vmvtzNp7/ndBhMQRAkT2AJ4jdhJJpFbKcSeiSo0rlmXJKOV/PgCbB/os
BG4g67cPe+Abk0GOyjbyBZY=
=W2pN
-----END PGP SIGNATURE-----