I'm interested in the possibility of a kerberised NFSv4 for Linux. We already use pam_krb for logging in, but I'm interested in the "gssd" approach that the experimental NFSv4 client uses. Basically, someone logs in - they supply their password and pam_krb obtains a ticket. Presumably you need another pam module in the stack to pass the ticket to the gssd before anything in their home directory is touched. (RedHat specific) Later, the pam_krb module converts the ticket from a memory to a file-based one, and presumably the pam_gssd_register module would have to be called again immediately after. So, this brings me to the first question: For both a tty and non-tty application, what should be the flow of calls to PAM to provide full access? i.e. what gets called when, with what uid/gids? Secondly, a hypothetical SSH that supports kerberos (or the kerberised telnet that would actually work) would not need to call the auth part of the pam stack. For such apps, tty and non-tty, what would be the appropriate call flow. Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+
