Porting Heimdal's libkafs to MIT Kerberos
sxw at sxw.org.uk
Sun Jan 11 05:33:42 EST 2004
Ken Hornstein wrote:
> The problem is that AFS integration becomes
> more seamless if you build it into some of your Kerberos applications,
> like kinit and into login.krb5 (or whatever you choose to use at
> login time).
But this is true of assorted other applications which use your Kerberos
credentials to obtain other 'tokens'. Having the Kerberos system
binaries (and then _all_ means of login) support each and every one of
these mechanisms really doesn't seem realistic.
We ran into this issue using UMICH's kx509 stuff. Rather than add
support for gaining kx509 credentials left, right and centre, we use a
PAM module to get an X509 certificate for the user based on the contents
of their ccache. By replacing 'kinit' with a pam enabled application, a
user can gather all of the credentials they need in one operation.
Adding additional services only requires new PAM modules, rather than
extending core code.
More information about the krbdev