Hi I'm making available now 2 PAM modules in ftp://ftp.dementia.org/pub/pam One is a Kerberos 4 module. It can do authentication, password changing and ticket file "management" (sorta; It writes an initial krbtgt only if the user logs in successfully, and removes the ticket file at logout). It expects for the purposes of password changing that you are using a real Kerberos KDC; A future module will use the kaserver to change passwords. The other is designed to be used with the Kerberos module to get an AFS token. Currently the code is somewhat stupid as far as PAGs. Suggestions welcome; Here's how it works now: If the module at startup is running as root, (presumably login or su, but I haven't done anything about the case where you're running a program as root yet) it gets a PAG. At logout/shutdown it destroys all tokens, regardless of whether it created the PAG or not. As I said, I'd like to improve this. The Kerberos 4 module requires a helper to support people using the AFS string_to_key. Look at http://andrew2.andrew.cmu.edu/dist/krbafs.html if you're in the U.S. for a helper library. If you're outside the U.S. try http://www.pdc.kth.se/kth-krb for KTH's Kerberos (eBones) distribution. In that case you may need to write a passwd_to_afskey function, presumably by copying afs_passwd_to_key in their libkrb and exporting the function. As I said, a future module supporting the kaserver directly will be done. Incidentally, this is designed to work with the Linux PAM package which you can find at: http://parc.power.net/morgan/Linux-PAM/index.html It may be portable to other systems. It is ostensibly portable to Solaris. I'm willing to take complaints, patches, suggestions, and to help if I can. -D
