Integration of k5start/krenew functionality

Jeffrey Hutzelman jhutz at
Wed Aug 5 10:02:20 EDT 2009

--On Wednesday, August 05, 2009 08:53:45 AM -0500 "Douglas E. Engert" 
<deengert at> wrote:

> Many of the issues have been addressed in login and screen unlock,
> when credentials are renewed, and pam modules handle obtaining
> additional credentials. Could pam be used from kinit much like screen
> unlock?

Probably not.  Login and screen unlock use PAM for authentication, and 
updating other credentials is done as a side-effect.  In the case of a 
screensaver, you're not starting a new session, so pam_open_session() is 
never called, but pam_setcred(PAM_REFRESH_CRED) is, so modules can handle 
token acquisition at that time.  For a hypothetical kinit, you again 
couldn't call pam_open_session(), but since you're not using PAM for 
authentication, you _also_ can't call pam_setcred, which can be used only 
after pam_authenticate() succeeds.

It's also not portable to platforms that don't use PAM, and unfortunately 
there are still a number of those, probably including some that MIT 
Kerberos cares about.

-- Jeff

More information about the krbdev mailing list