[OpenAFS] Re: pam-afs-session 1.0 released

Russ Allbery rra@stanford.edu
Fri, 15 Dec 2006 10:16:03 -0800


Adam Megacz <megacz@cs.berkeley.edu> writes:

> This is really cool!  Is there any straightforward/easy way to integrate
> this with kstart?

> For example, if the user in question has a ~/.keytab, then automatically
> wrap their PAGged-session in an invocation of "k5start -UKf ~/.keytab"?

Huh, interesting.  I assume that the usage scenario here is that basically
you want permanent AFS tokens for a user that you can still invalidate if
you need to?

Have you considered putting something like:

    if [ -z "$KSTART_RUNNING" ] && [ -f "$HOME/.keytab" ] ; then
        exec k5start -K 30 -Uf "$HOME/.keytab" -- \
            env KSTART_RUNNING=1 "$SHELL" -l
    fi

in the shell initialization for users?  Or actually, that may be too
complex; all you may need is to give the user a shell of kstart-shell,
where kstart-shell is:

    #!/bin/sh
    exec k5start -K 30 -Uf "$HOME/.keytab" /bin/bash -l

or whatever shell you want to use.  Although that doesn't let the user
pick their own shell as easily.

It's difficult to do this from inside a PAM module since the PAM module
doesn't have any control over the user's shell, and for ideal k5start
behavior (such as automatically exiting when the shell exits) you want to
have k5start invoke the shell and watch it.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>