[32224] in Kerberos
Re: pam_krenew ?
daemon@ATHENA.MIT.EDU (Marc Carmier)
Wed Mar 31 18:37:40 2010
Mime-Version: 1.0 (Apple Message framework v1077)
From: Marc Carmier <mcarmier@gmail.com>
In-Reply-To: <87ljd8wab7.fsf@windlord.stanford.edu>
Date: Wed, 31 Mar 2010 22:04:01 +0200
Message-Id: <94ECB705-61ED-4F3A-9322-023625B604B9@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
effectively the system-wide shell initialization could be one way.
I try to explain a little more my needs. Lots of my user won't have access to a shell,
they will connect themself with gdm/kdm to a secured environment.
The others will have access to shell/ssh to the computers.
For some reason, I would prefer an solution with a pam module that launch
a background process which can renew the TGT of the user.
But, if this is too hard to do, I'll will take the shell initialization route.
Regards,
Marc Carmier
Le 31 mars 2010 à 21:38, Russ Allbery a écrit :
> marc <mcarmier@gmail.com> writes:
>
>> I would like to have a pam_module that can have the same
>> functionnality that krenew.
>
> I assume you mean that kicks off a background krenew process? A PAM
> module that literally does the same thing as krenew (namely renews your
> existing credentials) doesn't make a lot of sense to me, since one
> generally just got new credentials as part of the PAM authentication.
>
>> I've try to use pam_script.so on session opening to launch "krenew -K
>> 60 -b &", but it's running as root and not with the user right and
>> then can't know which ticket cache it has to renew.
>
>> Does someone could give me links to a kind of solution ?
>
> Normally one does this by adding an invocation of krenew to the shell
> initialization files for the user (or in the system-wide ones if you want
> it to happen for all users). Doing it from inside a PAM module is a bit
> trickier. Have you tried the shell initialization file route?
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
