>On Thu, Dec 07, 2000 at 12:06:46AM +0000, Chris wrote:
>> Hi, I have been writing a PAM module to do Kerberos 5 and AFS stuff, and
>> have run across a couple of problems.
>
>Have you looked at ports/security/pam_krb5, by the way? This does
>Kerberos 5, but not AFS.
IIRC, this module will authenticate you, but will not get you tickets.
I think this was because the tickets are stored using pam_setcred(),
hence my question. I haven't looked at it for a while though--its
possible the situation has changed.
Anyways, what I have written gets Kerb 5 tickets, converts them to v4,
and then adds the token after setting up a PAG. Basically, what the
mit aklog does, but it actually compiles and works with our kafs library.
>> The next is pam_setcred(). I've noticed that this is not actually
>> called from login/etc, so it doesn't do much good. Is this
>> intentional? Not that it matters much, for anything other than
>> compatibility with other modules.
>
>Patching login et. al. to call pam_setcred is trivial. The only reason I
>haven't done so yet is because pam_setcred is all but useless. :-) I'm
>enclosing a previous message that I sent to the FreeBSD PAM maintainer
>(ok well it went to jdp first and then later to markm) to explain more
>fully. None of us have had time to address it yet, and this appears to
>be a bug in Linux-PAM (which is the implementation we use).
I figured it was something along these lines. :) I realize the pam_setcred
is about useless, but it would be nice to have session support.
Anyways, thanks for the pointer.
Chris
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
