[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: thoughts/comments on renewal/revocation/cleanup



   Date: Tue, 17 Mar 1998 16:05:03 -0500 (EST)
   From: Derrick J Brashear <shadow@DEMENTIA.ORG>

   The thing is, to get tokens, pam_afstok requires kerberos tickets,
   and to check if you're "authorized" pam_restrict requires afs
   tokens. right now the afs tokens are gotten, the pag created, and the
   tokens stuffed into the kernel in the set_cred(ESTABLISH) step, but
   if, say, restrict says the user is not authorized, we have this PAG
   and token, and kerberos ticket, laying around not cleaned up. I'm
   debating what the "right" way to clean up is. Comments?

Hmm.  That's a hard one.  In the current framework, I'd argue the "right
way" is to get the tokens and tickets twice.  Once in the authentication
phase, and again the session management phase, and to destroy the
tickets and tokens at the end of the authentication phase.  This is ugly
and inefficient, but I don't see a better way of doing things.  

   Also, I'm considering the usefulness of some way for a module
   (e.g. pam_krb4, say) to force you to reauthenticate immediately when
   your authentication expires, or for pam_restrict to kick you off a
   machine when a user logs into the console. Comments?

How would pam_krb4 get the necessary password to reauthenticate you?
If you're running X, I suppose it could throw up a dialog window, but in
general it's a bad idea to train users to type their password into
dialog boxes whenever they happen to pop up on their screen.

Summarily logging a user out without giving them time to cleanly save
their emacs buffers, etc., also seems to be a problem.

						- Ted



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []