On Thu, 2013-11-21 at 08:37 -0500, Steve Dickson wrote: > > On 20/11/13 15:49, Simo Sorce wrote: > >> I think Solution 3: [nfslog/nfslogout interfaces invoked from PAM or > >> > other login system facility] is a good way to go. Note that a PAM > >> > based solution where in the PAM would get us most of the way towards > >> > providing users with a way to login and logout of NFS kerberized > >> > shares. > >> > > >> > Comments on an NFS PAM that will destroy GSS context for a UID upon > >> > logout? > > I prefer 3 too, let it to the login system (whether PAM based or other) > > to determine when it is time to destroy credentials, that's the only > > component that have a chance of guessing right. > > Of course you could also provide a user utility to force a purge. > > > +1 for me on this options as well... > > But how is it known when somebody logs out? Is that PAM-able as well? I would say "login process" more than pam, but the basic idea is the same, a user space program that knows when the user is logging out for good and is privileged enough to go an tell the kernel to nuke creds. Simo. -- Simo Sorce * Red Hat, Inc * New York -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
