Derek Atkins wrote: > > "Douglas E. Engert" <[EMAIL PROTECTED]> writes: > > >> (2) PAM could be called when GSSAPI is used for authentication. > >> A PAM session routine could do the setpag, as long as the PAM > >> routine is run from the correct process. > > IMHO this seems like the best solution... Continue to use the PAM > "session" modules even when using GSSAPI authentication. > > > That might help. But it does not help with the gssapi delegated credentials, > > as the kafs is expecting s->authctxt->krb5_ctx to be the Kerberos > > context. Its not in the gssapi case. > > Why doesn't it help?
Because when the GSSAPI is used, the delegated credential is not in s->authctxt->krb5_ctx SO the current kafs does not work with a delegated credential. But in all cases the credentials are in the cache, so a program like aklog called at this point can use the KRB5CCNAME. > > > But both the GSSAPI delegated creds or the credentials obtained via user/password > > have been written to the cache, and the ENV KRB5CCNAME has been set. > > Thats what running aklog or afslog works. > > Exactly.. Running a pam session module (that is itself a shared > library) can perform the setpag for you. This seems to solve your > problem without adding a direct dlopen() to ssh. > > -derek > > -- > Derek Atkins 617-623-3745 > [EMAIL PROTECTED] www.ihtfp.com > Computer and Internet Security Consultant -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
