Porting Heimdal's libkafs to MIT Kerberos

Alexandra Ellwood lxs at MIT.EDU
Sun Jan 11 12:19:15 EST 2004

>So, why is AFS special?  It's not really a special Kerberos
>application, that's true; it can make use of the regular, unmodified
>Kerberos libraries.  The problem is that AFS integration becomes
>more seamless if you build it into some of your Kerberos applications,
>like kinit and into login.krb5 (or whatever you choose to use at
>login time).  Okay, you guys say MIT isn't in the business of
>providing Kerberos applications; fine, but you still _do_ provide
>them in the short term.  If the MIT Kerberos applications ever split
>off into it's own distribution, maybe it would make sense to put
>libkafs in there.

On Mac OS X, we support a Login Logout Notification Plugin API to 
modify the library behavior when tickets are acquired.  This API 
exists because of the complete lack of pam on Mac OS 9 (where it was 
first introduced) and the poor quality of pam support in early 
versions of Mac OS X.

The plugin is called just after tickets are renewed automatically by 
Kerberos.app or acquired later via the login dialog or kinit.  It 
gives you the principal and the name of the ccache where the new 
tickets are placed.  The plugin API also allows you to insert code 
just before ticket destruction, although I haven't actually seen 
anyone use that part of the API.

Alexei Kosut wrote an aklog.loginLogout plugin which is used to get 
tokens whenever new tickets are acquired.

Documentation for the Login Logout Notification Plugin API:

Just FYI,

Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/

More information about the krbdev mailing list