[OpenAFS] Re: Kerberos V and xscreensaver/xlock
Christian Pfaffel
flash@itp.tu-graz.ac.at
30 Oct 2002 12:38:58 +0100
Charles Clancy <security@xauth.net> writes:
> > I do not even get the TGT if I authenticate to xlock | xscreensaver. I
> > have the following lines in my /etc/pam.d/system-auth:
> >
> > ...
> > auth sufficient /lib/security/pam_krb5afs.so debug tokens forwardable use_first_pass
> > ...
> > session optional /lib/security/pam_openafs_session.so
> > ...
> >
> > I tried it with pam_krb5.so as well:
> > auth sufficient /lib/security/pam_krb5.so debug forwardable use_first_pass
> >
> > It never does renew my TGT. klist befor and after xlock show the same
> > expiration times for it.
>
> Maybe try adding "reuse_ccache" as an option to pam_krb5. I'm not
> entirely sure -- I've not played with pam_krb5 nearly as much as pam_afs.
>
There does not exist a "reuse_ccache" option for pam_krb5.
Yesterday I did take some time and hacked a "refresh_token" option
into pam_krb5afs. Once it is tested i will forward my changes to the
pam_krb5 maintainer.
Thanks for your help.
Christian
--
PGP-Key: http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg