Porting Heimdal's libkafs to MIT Kerberos

Simon Wilkinson sxw at sxw.org.uk
Sun Jan 11 05:33:42 EST 2004

Ken Hornstein wrote:

> The problem is that AFS integration becomes
> more seamless if you build it into some of your Kerberos applications,
> like kinit and into login.krb5 (or whatever you choose to use at
> login time).  

But this is true of assorted other applications which use your Kerberos 
credentials to obtain other 'tokens'. Having the Kerberos system 
binaries (and then _all_ means of login) support each and every one of 
these mechanisms really doesn't seem realistic.

We ran into this issue using UMICH's kx509 stuff. Rather than add 
support for gaining kx509 credentials left, right and centre, we use a 
PAM module to get an X509 certificate for the user based on the contents 
of their ccache. By replacing 'kinit' with a pam enabled application, a 
user can gather all of the credentials they need in one operation. 
Adding additional services only requires new PAM modules, rather than 
extending core code.



More information about the krbdev mailing list