porting CCAPI to UNIX
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sat May 5 13:51:44 EDT 2007
>Um... That's an interesting approach. As long as you've got that
>control over the login process. Are you changing the hard or soft
>resource limit, or both?
Both resource limits. The kits we provide to users (to be used by
users that are not coming from machines we administrate) have a
special program called "kshell" you run that sets up the credential
cache; only processes that are decendants of that program have
access to the credential cache. Our kits also do not have support
for the file credential cache.
>Presumably you're using modified sshd and login programs, and maybe
>ftpd and other daemons that might need credentials (such as to get
>AFS tokens)? Or you do have a PAM module or equivalent that gets the
>job done on all these systems?
Our daemons already have other modifications; this was only a few lines.
We don't use PAM, but there's no reason you couldn't do this with PAM.
--Ken
More information about the krbdev
mailing list