[OpenAFS-port-darwin] krb5 aklog.loginlogout ?

[Derrick J Brashear]

On Fri, 18 Jun 2004, Eric Knauel wrote:

> >> Both krb5 aklog plugins, Ragnars and yours, don't call unlog on
> >> logout.  I wonder, what is the reason for this and is this harmless?
> >
> > Well, it presumably means the next login with that uid will have those
> > tokens. And in fact if you did the unlog it would mean if same uid still
> > had sessions logged in, they'd go away.
>
> Is this is because the token is tied to a certain uid and not a PAG?

Yup.

> Is there a possibility to tie the token to a PAG for the Aqua session
> so it's not mixed with other sessions, i.e. ssh sessions to the same
> machine by the same user id?

Well, see, here's the thing. How do you get the WindowServer into a PAG?
Or rather, i guess the right way to ask that is, how do you get it into
the PAG you want it in...

> Maybe it's easier to open a new PAG for each ssh session.  However,
> finding a pam_krb5 for OS X that actually works seems to be another
> problem...

Bah, just build openssh with krb5 support directly. Don't go out of your
way to find problems.