[OpenAFS] Re: Kerberos V and xscreensaver/xlock

Balazs GAL balsa@rit.bme.hu
31 Oct 2002 16:14:14 +0100


2002-10-30, sze keltez=E9ssel Charles Clancy ezt =EDrta:
> > I do not even get the TGT if I authenticate to xlock | xscreensaver.
> > It never does renew my TGT. klist befor and after xlock show the=20
> > same
> > expiration times for it.
>=20
> Maybe try adding "reuse_ccache" as an option to pam_krb5.  I'm not
> entirely sure -- I've not played with pam_krb5 nearly as much as
pam_afs.

Please read the thread:

http://www.stacken.kth.se/lists/heimdal-discuss/2002-08/msg00002.html

My heimdal port of Nalin's (RedHat) pam_krb5 have the above feature.

>From README:

Heimdal port:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
It's now able to get krb5 tgt,
convert krb5 tgt to krb4 tgt (krb524),
get afs tokens with krb5_afslog,
optinal native kth-krb4 ticket grabing.=20

New codes which are not in the main pam_krb5:
---------------------------------------------
I wrote a new code which is usefull e.g at ssh with token
forwarding. It try to use and convert the forwarded krb5 tgt
to krb4 tgt and to afs tokens. (like pam_openafs_session)

New refresh_creds option. See more in the README:
refresh_creds or
refresh_tokens=20
It try to refresh the existent credentials and tokens.
If it can't refresh a cred (maybe because the user's
principal and the ticket's principal are different) then
it will dont save the the cred which was acquired
during authentication unless you use the
retain_creds option.
It is very userfull e.g with xlock. If you unlock
the display then it will refresh your creds if possible.

You can download my pam_krb5 heimdal port (which i hope works with
mit-krb5 too, let me known if not) from:

http://www.rit.bme.hu/~balsa/pam_krb5/pam_krb5-heimdal-1_3-rc3.tar.gz

Any comments are welcome !!

balsa