Hello Jan!

You wrote:

> It is possible to authenticate using kerberos, and then use the
> authenticator to obtain a Coda token. I'm not sure how to completely
> automate that.

Please consider the pam_kcoda hack that I have sent to codadev (I suppose
it could nicely fit on coda ftp area?).

It is meant to be used together with kerberos pam, kerberos is used
for authentication, and pam_kcoda - in "session" section.
It runs the kclog binary and in that way does not depend on the
coda internals and versions.
It is small and compiles nicely on Linux and with minor tweaking (removed
one #include and added a #define) on Solaris.
Functionality tested under Linux (Debian with Xfree4-pamified-xdm, OpenSSH
2.5.2p2, console login) essentially in production use.
The only real problems encountered are that pam_krb5 "session" seems to
sometimes return unexpected codes? or libpam bug? and that if your kclog
doesn't exist or can not find shared libraries, you get no tokens and may
be even logged out.

The module may or may not destroy tokens on session end, as desired.

Regards,
--
Ivan Popov <pin_at_math.chalmers.se>