Porting Heimdal's libkafs to MIT Kerberos
Alexandra Ellwood
lxs at MIT.EDU
Sun Jan 11 12:19:15 EST 2004
>So, why is AFS special? It's not really a special Kerberos
>application, that's true; it can make use of the regular, unmodified
>Kerberos libraries. The problem is that AFS integration becomes
>more seamless if you build it into some of your Kerberos applications,
>like kinit and into login.krb5 (or whatever you choose to use at
>login time). Okay, you guys say MIT isn't in the business of
>providing Kerberos applications; fine, but you still _do_ provide
>them in the short term. If the MIT Kerberos applications ever split
>off into it's own distribution, maybe it would make sense to put
>libkafs in there.
On Mac OS X, we support a Login Logout Notification Plugin API to
modify the library behavior when tickets are acquired. This API
exists because of the complete lack of pam on Mac OS 9 (where it was
first introduced) and the poor quality of pam support in early
versions of Mac OS X.
The plugin is called just after tickets are renewed automatically by
Kerberos.app or acquired later via the login dialog or kinit. It
gives you the principal and the name of the ccache where the new
tickets are placed. The plugin API also allows you to insert code
just before ticket destruction, although I haven't actually seen
anyone use that part of the API.
Alexei Kosut wrote an aklog.loginLogout plugin which is used to get
tokens whenever new tickets are acquired.
Documentation for the Login Logout Notification Plugin API:
<http://web.mit.edu/macdev/KfM/KerberosFramework/KerberosLogin/Documentation/LoginLogoutNotification.html>
Just FYI,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the krbdev
mailing list