[OpenAFS] Re: pam-afs-session 1.0 released

Adam Megacz megacz@cs.berkeley.edu
Fri, 15 Dec 2006 10:47:03 -0800

Russ Allbery <rra@stanford.edu> writes:
> Huh, interesting.  I assume that the usage scenario here is that basically
> you want permanent AFS tokens for a user that you can still invalidate if
> you need to?

Oh, I hadn't thought of the invalidation aspect.  Is there some easy
way to do this without that capability that I'm missing?

> It's difficult to do this from inside a PAM module since the PAM module
> doesn't have any control over the user's shell, and for ideal k5start
> behavior (such as automatically exiting when the shell exits) you want to
> have k5start invoke the shell and watch it.

Ah, I see.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380