[OpenAFS] pam_krb5afs and openssh-4.0p1

lamont@scriptkiddie.org lamont@scriptkiddie.org
Wed, 21 Sep 2005 15:50:39 -0700 (PDT)

On Wed, 21 Sep 2005, Douglas E. Engert wrote:
> Does the pam_krb5 have a force_creds option? Some do. This could allow it to
> store the ticket cache during the pam_sm_authenticate call rather then the
> pam_sm_setcred call.

I don't see "force.*cred" anywhere in the sources.  Grepping for "force" 
doesn't even turn up much.

And it looks like the only place that KRB5CCNAME gets set is in the 
session.c file that handles pam_open_session().  I don't see any 
functionality in auth.c or anywhere else that auth.c might call...

I checked both the 2.0.8-2 sources and the latest CVS checkout.

> The OpenAFS aklog, the Heimdal afslog and the gssklog all accept the -p
> option. I even see in aklog from as early 1994 support for the -p option.
> The -p option is so the *log program can get a token for the cell
> that contains the directory.
> Never tried pam_afs2 with afs5log. Sounds like afs5log needs a -p option.

It looks like afs5log prefers to use getenv("HOME").  I agree it should 
support -p, even if it prefers to NOP that flag and do it itself...