More fun with Russ' pam_krb5
Russ Allbery
rra at stanford.edu
Tue Mar 11 20:46:22 EDT 2008
Coy Hile <coy.hile at coyhile.com> writes:
> I note that the ticket cache is set up as I would expect it given my
> entries in pam.conf. In xscreensaver, however, the plot thickens. I've
> got the following in pam.conf for xscreensaver:
>
> |xscreensaver auth requisite pam_authtok_get.so.1
> |xscreensaver auth required pam_dhkeys.so.1
> |xscreensaver auth optional /krb5/lib/security/pam_krb5.so use_first_pass debug ccache=/tmp/krb5cc_%u_XXXXXX
> |xscreensaver auth required /krb5/lib/security/pam_afs_session.so debug
> |xscreensaver auth optional pam_unix_auth.so.1
The ccache argument will be completely ignored for the xscreensaver case
since you're refreshing an existing ticket cache. pam_krb5 will therefore
look for the existing ticket cache in KRB5CCNAME in the environment, and
if not found, will use the default library ticket cache.
I could change this behavior, but your setting above still wouldn't work.
If that ccache were honored, it would generate a new random string for
XXXXXX and hence you'd get a new ticket cache that nothing pointed at and
which you weren't actually using.
If you track down why KRB5CCNAME isn't being set properly to point to your
current ticket cache before spawning xscreensaver, that will fix the rest
of the problem, I think.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list