[OpenAFS-port-darwin] aklog/afslog at console login and Mac OS
10.2
Ragnar Sundblad
ragge@nada.kth.se
Sun, 06 Oct 2002 03:34:28 +0200
--On den 4 oktober 2002 15:37 -0400 David Botsch <dwb7@ccmr.cornell.edu>
wrote:
> does anyone have a contact at Apple to either request an afs
> authenticator for loginwindow or a pam authenticator for the loginwindow?
> As MacOSXlabs states, pam would allow loginwindow to be extremely
> extendable.
Note that any plugin just to loginwindow won't solve the
per-uid-tokens problem, since loginwindow is only the parent
to CoreServices/pbs. All other user apps (Dock, Finder, etc)
are children to WindowServer which isn't PIDly related to
neither loginwindow nor the user's SecurityAgent which
(currently) is the one running the kerberos plugin at
loginwindow time. There might be or come more services
that need access to the user's files, so we probably will
have to live with per-uid-tokens until someone has came
up with a new token-context scheme.
Also, just having a pam will not solve the ticket renewal
problem, while the loginLogout plugin does (except for a
bug in that code right now which only renews tickets when
they have expired which is to late, but that will hopefully
be fixed). Though, since the apple kerb code won't renew tickets
if nothing exercises it, we will need a ticket renewal
daemon/app in the future too anyway, so it could (still) renew
afs tokens as well. Not extremely beatiful but will probably
work.
/ragge