OpenSSH with Wilkinson patch on Mac OS X 10.2
lukeh at PADL.COM
Wed Oct 2 23:50:00 EDT 2002
>Unfortunately, Apple put the code to create the Authorization session
>in pam_authenticate, so it won't happen in cases where the user
>doesn't have to type a password. Which is of course mostly how
>Kerberized ssh works. Sucko.
Ironically, the original implementation we did put the code in
pam_sm_acct_mgmt() (ie. the right place), but there was some
reason why it got moved into pam_sm_authenticate(). It may have
had something to do with the fact that the Authorization API,
confusingly, required a password.
Sounds like the SessionCreate() API you mention should be used in
pam_sm_acct_mgmt() in pam_securityserver; seems to me that it
would better to fix pam_securityserver rather than propgate
proprietary Apple API into OpenSSH.
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the krbdev