Re: pam_set_cred vs. pam_close_session

["Aaron Cohen" <aaron assonance org>]

I just looked through gdm's source and it appears to do pam_setcred
AFTER pam_close_session (which is the way I would prefer and that
makes more sense to me) but it seems like there needs to be a rule
defined and some consistancy enforced. :)

Aaron

On 3/29/07, Aaron Cohen <aaron assonance org> wrote:
> Hi there,
>     I guess this is about 6 years too late, but I've got a question
> about pam session management.
>
>     Specifically, I'm using Linux PAM, pam_krb and util-linux from
> Fedora Core 6.  I'm trying to use kerberos to authenticate a script
> which synchronizes home directories to a backup server at session
> open/close.
>
> login.c from that version of login contains the following:
> #  define PAM_END { \
>         pam_setcred(pamh, PAM_DELETE_CRED); \
>         retcode = pam_close_session(pamh,0); \
>         pam_end(pamh,retcode); \
> }
>
>
>
>
> I'm very interested in the order of pam_setcred and pam_close_session
> there, because it's rather inconvenient to me.  It results in ny
> kerberos credentials being deleted before my script gets the chance to
> clean up the session.  Is this intentional?  Is it specified somewhere
> that it has to happen in this order?  Is there a workaround I could
> manage somehow?
>
> Thanks,
> Aaron