[OpenAFS] Obtain PAG/Token in pam_setcred() or in pam_open_session()?

[Hans.Ranke@ei.tum.de]

Hello,

in the past, I used to configure PAM to setpag and obtain tokens
during session setup.

In the newest kdm version (3.5.6) this is no longer possible.
Group changes during pam_open_session() are undone before the
client is started, and so the PAG is lost.

I opened a bug with KDE ( http://bugs.kde.org/show_bug.cgi?id=145188 )
but the maintainer convincingly argues that credentials should be
obtained by pam_setcred() instead.

What is your opinion?
Should one strive to manage the tokens in the authentication phase?
Does it just work if pam is correctly configured or are there major issues?
  I have not yet researched this path. What I see is:
  - I cannot use pam_keyinit on linux, because it will destroy the PAG key
    during session setup. Probably no big deal as long as only AFS uses 
    keyrings.
  - Applications like openssh, that get a krb5 ticket via GSSAPI and
    need to get a token from it, might need to do it in the session
    component of pam_krb5. Or maybe I should look into pam_afs_session.

Or do you think token management should be done in session management?
If so, do you have convincing arguments for the KDE people?

My environment:
mostly Fedora Linux, Kerberos 5 KDC.

Thanks, Hans

-- 
Hans Ranke                                                  Ranke@tum.de
Lehrstuhl fuer                                             Institute for
Entwurfsautomatisierung                     Electronic Design Automation
              Technische Universitaet Muenchen, Germany                
Phone +49 89 289 23660                              Fax +49 89 289 63666