OpenSSH with Wilkinson patch on Mac OS X 10.2

Luke Howard lukeh at PADL.COM
Wed Oct 2 23:50:00 EDT 2002

>Unfortunately, Apple put the code to create the Authorization session 
>in pam_authenticate, so it won't happen in cases where the user 
>doesn't have to type a password.  Which is of course mostly how 
>Kerberized ssh works.  Sucko.

Ironically, the original implementation we did put the code in 
pam_sm_acct_mgmt() (ie. the right place), but there was some
reason why it got moved into pam_sm_authenticate(). It may have
had something to do with the fact that the Authorization API,
confusingly, required a password. 

Sounds like the SessionCreate() API you mention should be used in
pam_sm_acct_mgmt() in pam_securityserver; seems to me that it 
would better to fix pam_securityserver rather than propgate
proprietary Apple API into OpenSSH.

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the krbdev mailing list