porting CCAPI to UNIX

Ken Hornstein kenh at cmf.nrl.navy.mil
Sat May 5 13:51:44 EDT 2007

>Um...  That's an interesting approach.  As long as you've got that  
>control over the login process.  Are you changing the hard or soft  
>resource limit, or both?

Both resource limits.  The kits we provide to users (to be used by
users that are not coming from machines we administrate) have a
special program called "kshell" you run that sets up the credential
cache; only processes that are decendants of that program have
access to the credential cache.  Our kits also do not have support
for the file credential cache.

>Presumably you're using modified sshd and login programs, and maybe  
>ftpd and other daemons that might need credentials (such as to get  
>AFS tokens)?  Or you do have a PAM module or equivalent that gets the  
>job done on all these systems?

Our daemons already have other modifications; this was only a few lines.
We don't use PAM, but there's no reason you couldn't do this with PAM.


More information about the krbdev mailing list