pam_set_cred vs. pam_close_session
Aaron Cohen
aaron at assonance.org
Thu Mar 29 18:40:18 UTC 2007
I just looked through gdm's source and it appears to do pam_setcred
AFTER pam_close_session (which is the way I would prefer and that
makes more sense to me) but it seems like there needs to be a rule
defined and some consistancy enforced. :)
Aaron
On 3/29/07, Aaron Cohen <aaron at assonance.org> wrote:
> Hi there,
> I guess this is about 6 years too late, but I've got a question
> about pam session management.
>
> Specifically, I'm using Linux PAM, pam_krb and util-linux from
> Fedora Core 6. I'm trying to use kerberos to authenticate a script
> which synchronizes home directories to a backup server at session
> open/close.
>
> login.c from that version of login contains the following:
> # define PAM_END { \
> pam_setcred(pamh, PAM_DELETE_CRED); \
> retcode = pam_close_session(pamh,0); \
> pam_end(pamh,retcode); \
> }
>
>
>
>
> I'm very interested in the order of pam_setcred and pam_close_session
> there, because it's rather inconvenient to me. It results in ny
> kerberos credentials being deleted before my script gets the chance to
> clean up the session. Is this intentional? Is it specified somewhere
> that it has to happen in this order? Is there a workaround I could
> manage somehow?
>
> Thanks,
> Aaron
>
More information about the Pam-list
mailing list