[OpenAFS-port-darwin] aklog/afslog at console login and Mac OS
10.2
Ragnar Sundblad
ragge@nada.kth.se
Tue, 08 Oct 2002 00:00:37 +0200
--On den 7 oktober 2002 17:25 -0400 David Botsch <dwb7@ccmr.cornell.edu>
wrote:
> If we are authing against kerberos, which we can do, where does this fit
> into that process? Before or after the auth takes place? Ie could one
> just insert the "aklog" command after the pagsh command and thereby get
> tokens (looks like I need to find some docs on what does what when here)?
> As a later email said, we are shooting for home directories in afs space.
The windowserver is (re)started at the same time as loginwindow is
putting up its login panel, I don't think you can use that trick
for home directories in AFS (see previous posts) since there
is no good way (as I know of at least) to get tokens early enough.
For now I'd recommend using Alexei Kosut's kerberos plugin
which seems to be well written and people say it works,
I haven't tried it myself yet.
(Mine works too but is somewhat more complicated, not in
my code but in that it also uses heimdal krb5 and the
krbafs lib - I had trouble getting krbafs+MIT-krb4 to work
when I worked on it, but now it seems to work fine. Oh well.).
We still need something to renew tickets.
At KTH we have previously been using the old loginwindow plugin
api and done it all ourselves with heimdal and kthkrb, but think
we should migrate to using the built in kerberos things now
that it seems to be possible.
We have an app to renew tickets that could be modified to
monitor and renew Apple/MIT kerberos tickets instead.
Are there any better suggestions for handling this?
(Our renew app works like this:
We check out krb5 tickets that are valid for 24 hours and
renewable for 2 weeks. When half the ticket lifetime has past
the app starts trying to renew them - giving it 12 hours
to succeed. When half the renewable time has past it puts
up a password dialog, giving the user one week to see the
dialog and get new tickets. The times choosen are, of course,
completely arbitrary.
The krb4 tgt and afs tokens are also monitored and new are
checked out when half their lifetime has passed.)
/ragge