Coda File System

new version of pam_kcoda

From: Ivan Popov <>
Date: Mon, 19 Nov 2001 13:28:03 +0100 (MET)

The new one (0.3) is more conformant to PAM conventions than 0.2, hence
less sensitive to application [mis]behaviour.
I would recommend possible users to upgrade, as version 0.2 breaks with
some applications (not really its fault).

Version 0.3 should be used as follows (pathnames may vary) :
[auth required [ccache=SAFE require_keytab]]
auth optional [kclog /usr/local/bin/kclog] [ignore_root]

[session optional [cunlog /usr/local/bin/cunlog] [nocunlog]]

auth entry creates a coda token based on a kerberos tgt, that is there
must be a kerberos auth module before pam_kcoda.

session entry destroys the coda token on session close.

(session entry with "nocunlog" option is essentially a no-op)

Tested on Linux with pam_krb5 from (be sure to supply
ccache=SAFE argument to pam_krb5, otherwise it needs a patch when used
with Linux glibc).

My hope is that the 0.3-module will be available on
otherwise mail me if you are using kerberized coda.

IMHO kerberos is a very convenient complement to Coda (and vice versa),
give it a try. At least you get one password database to support instead
of two - and no cleartext passwords. Some other cleartext things are still
there in Coda, but going to be fixed..? :)

Aghmmm, the hard part, a howto... The best I can suggest:
Search the web, become familiar with kerberos concepts,
setup a krb5 realm, create principals for users:
"<username>", and for the coda auth server: "host/<>"
(or "coda/<>" - check by running
grep SRV5PRINC coda-src/auth2/krbsupport.c),
compile Coda with kerberos support [and without Coda password auth],
create keytab for "{host|coda}/<>" on the Coda auth
server, setup pam modules: pam_krb5 and pam_kcoda for all of your login
services like ssh, xdm and so on. Then it works.

I had to apply a patch to krbsupport.c (posted here), but there are
chances it would work for you without the patch.

Recommended: principals for all of client hosts: "host/<>"
and corresponding keytabs on the clients, making krb5 authentication

Received on 2001-11-19 07:28:12