On Wed, 21 Sep 2005 [EMAIL PROTECTED] wrote:
On Wed, 21 Sep 2005, Douglas E. Engert wrote:
Does the pam_krb5 have a force_creds option? Some do. This could allow it
to
store the ticket cache during the pam_sm_authenticate call rather then the
pam_sm_setcred call.
I don't see "force.*cred" anywhere in the sources. Grepping for "force"
doesn't even turn up much.
And it looks like the only place that KRB5CCNAME gets set is in the session.c
file that handles pam_open_session(). I don't see any functionality in
auth.c or anywhere else that auth.c might call...
I checked both the 2.0.8-2 sources and the latest CVS checkout.
Got it!
There's a use_shmem option you can pass into auth and session which puts
the stash in shmem.
auth sufficient /lib/security/$ISA/pam_krb5afs.so debug use_shmem=sshd
session sufficient /lib/security/$ISA/pam_krb5afs.so debug external
use_shmem=sshd
I need to do some more testing, but this appears to work with both GSSAPI
authentication ("external") and with openssh's broken challenge-response
authentication ("use_shmem").
I'm using a CVS checkout of redhat's pam_krb5 which claims to be
something like 2.2.0-0.5
With this, I don't need to use pam_afs2 anymore (but thanks for the help
DEE =).
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
