[OpenAFS] pam with krb5 + openafs
David Miller
D.P.Miller@lse.ac.uk
Wed, 19 May 2004 15:20:05 +0100
Hi,
I'm running MIT krb5 and openafs 1.2.11 on debian (stable on servers,
testing+unstable on desktops)
I've yet to find a decent way to keep a users tokens refreshed.
Ideally I'd like to have using login to their machines (using [x|g|k]dm)
obtain a renewable krb5 ticket (preferably with a longer initial
lifetime too), and have xlock or xscreensaver refresh their ticket/token.
Is using something like xlock/xscreensaver with pam and appropraite pam
modules for krb5 and openafs the "normal" way of doing it ??
If so what pam modules are people using ?
there seems to be a few to choose from
theres the pam_krb5 and pam_krb5afs from
http://sourceforge.net/projects/pam-krb5/
which can do everything (AFS token grabbing, refreshing of tokens,
setting ticket lifetime).
But wont work with a 1.3 MIT kerberos 5 (its in the bug tracking), and I
cant seem to find the right krbafs library that it needs to support AFS
token grabbing.
the pam modules that are part of openafs dont support kerberos 5.
libpam-openafs-session is part of debian, but wont refresh tokens and is
only a session pam module (xscreensaver needs an auth module).
the pam_krb5 module that comes with debian doesnt support setting the
ticket lifetime, or obtaining a refreshable ticket.
What are people using for desktop linux systems ?
especially on debian.
Many thanks
David