Integration of k5start/krenew functionality
jhutz at cmu.edu
Wed Aug 5 10:02:20 EDT 2009
--On Wednesday, August 05, 2009 08:53:45 AM -0500 "Douglas E. Engert"
<deengert at anl.gov> wrote:
> Many of the issues have been addressed in login and screen unlock,
> when credentials are renewed, and pam modules handle obtaining
> additional credentials. Could pam be used from kinit much like screen
Probably not. Login and screen unlock use PAM for authentication, and
updating other credentials is done as a side-effect. In the case of a
screensaver, you're not starting a new session, so pam_open_session() is
never called, but pam_setcred(PAM_REFRESH_CRED) is, so modules can handle
token acquisition at that time. For a hypothetical kinit, you again
couldn't call pam_open_session(), but since you're not using PAM for
authentication, you _also_ can't call pam_setcred, which can be used only
after pam_authenticate() succeeds.
It's also not portable to platforms that don't use PAM, and unfortunately
there are still a number of those, probably including some that MIT
Kerberos cares about.
More information about the krbdev