pam_krenew ?

Marc Carmier mcarmier at gmail.com
Wed Mar 31 16:04:01 EDT 2010


Hello,

effectively the system-wide shell initialization could be one way.

I try to explain a little more my needs. Lots of my user won't have access to a shell, 
they will connect themself with gdm/kdm to a secured environment.
The others will have access to shell/ssh to the computers. 

For some reason, I would prefer an solution with a pam module that launch
 a background process which can renew the TGT of the user.

But, if this is too hard to do, I'll will take the shell initialization route.

Regards,
Marc Carmier

Le 31 mars 2010 à 21:38, Russ Allbery a écrit :

> marc <mcarmier at gmail.com> writes:
> 
>> I would like to have a pam_module that can have the same
>> functionnality that krenew.
> 
> I assume you mean that kicks off a background krenew process?  A PAM
> module that literally does the same thing as krenew (namely renews your
> existing credentials) doesn't make a lot of sense to me, since one
> generally just got new credentials as part of the PAM authentication.
> 
>> I've try to use pam_script.so on session opening to launch "krenew -K
>> 60 -b &", but it's running as root and not with the user right and
>> then can't know which ticket cache it has to renew.
> 
>> Does someone could give me links to a kind of solution ?
> 
> Normally one does this by adding an invocation of krenew to the shell
> initialization files for the user (or in the system-wide ones if you want
> it to happen for all users).  Doing it from inside a PAM module is a bit
> trickier.  Have you tried the shell initialization file route?
> 
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>





More information about the Kerberos mailing list