OpenSSH with Wilkinson patch on Mac OS X 10.2
lukeh at PADL.COM
Wed Oct 2 23:54:01 EDT 2002
>Sounds like the SessionCreate() API you mention should be used in
>pam_sm_acct_mgmt() in pam_securityserver; seems to me that it
>would better to fix pam_securityserver rather than propgate
>proprietary Apple API into OpenSSH.
Sorry, I should have looked at the code closely before engaging
SessionCreate() is used in pam_sm_authenticate(). In any case,
the proper place for this would seem to be pam_sm_setcred() or
pam_sm_open_session(). There are some rather cryptic comments
in pam_securityserver.c as to why this is not done:
* The purpose of this function is to set the user's "credentials".
* This function is invoked only *after* the user has been authenticated.
* AFAIK, PAM's ideas of "credentials" is taking any information the
* authentication token has and making that available to the calling
* program through pam_set_data(). This can also be an opportunity
* to make additional information available to the authentication token.
* Since our SecurityServer token doesn't know anything more about
* the user or environment than the calling program does, this essentially
* checks the authentication token to ensure that it is still valid.
* We could also give some additional information to the SecurityServer,
* but apparently the SecurityServer doesn't actually use or allow the
* retrieval of that information at this time.
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the krbdev