PAM question and Re: [OpenAFS] keepafstoken

Simeon Miteff
Mon, 11 Jul 2005 08:48:32 +0200

Sergio Gelato wrote:
> Wouldn't it make more sense to simply obtain a renewable TGT to begin with,
> with a renewable lifetime long enough for your users' reasonable needs (I give
> mine a week), then use kinit -R from time to time? That way you don't need to 
> violate the spirit of Kerberos by keeping the password around for any trojan
> horse to grab using ptrace.
> You could make it more general by using PAM. I'm not sure what other
> authentication systems need credentials to be refreshed at regular time
> intervals, but there must be some. (Web applications often impose session
> timeouts, etc.) pam_setcred(handle, PAM_REFRESH_CRED) looks about right.

Thanks for pointing this out. I would be ideal if I could get my PAM
set-up to get a renewable TGT in the first place, and then call PAM, as
you suggest, to renew the credentials.

It certainly sounds like the Right Way to work through PAM when it is
already set up for Kerberos and AFS. I'll look into it as soon as I can.
For now, at least, I have something that violates the Kerberos spirit,
but works :)

PAM question:

I found the default Debian set-up using Cusack's pam_krb5 and
pam_openafs_session somewhat inflexible, and decided to use pam_krb5afs
from sourceforge instead, however, I could not get krbafs-1.2 to work.

I had to install libkafs0-heimdal and libkrb5-17-heimdal to get
pam_krb5afs to compile. While this is not a major problem, I would like
to know if anyone here managed to build a pam_krb5afs that doesn't use
the heimdal libs?