[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

thoughts/comments on renewal/revocation/cleanup



Hi,

Recently for use with dtlogin I ported the slew of modules I have and wrote a
new one. Right now there's a chain of modules, which can actually be used other
than how I'm using them, but as far as I'm concerned interlock:
-pam_krb4 can be used by itself
-pam_afstok can be used with pam_krb4 or a yet-to-be-written pam_afsauth
-pam_restrict can be used with pam_krb4 and pam_afstok, pam_afsauth and
pam_afstok, or Transarc's afs module. 

The thing is, to get tokens, pam_afstok requires kerberos tickets, and to check
if you're "authorized" pam_restrict requires afs tokens. right now the afs
tokens are gotten, the pag created, and the tokens stuffed into the kernel in
the set_cred(ESTABLISH) step, but if, say, restrict says the user is not
authorized, we have this PAG and token, and kerberos ticket, laying around not
cleaned up. I'm debating what the "right" way to clean up is. Comments?

Also, I'm considering the usefulness of some way for a module (e.g. pam_krb4,
say) to force you to reauthenticate immediately when your authentication
expires, or for pam_restrict to kick you off a machine when a user logs into
the console. Comments?

-D



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []