Refreshing a token using PAM

[J Michael Mosley]

Hi. I've got an AFS problem that I could use some help on.
 
    A while back, I wrote a daemon whose purpose in life is to get an AFS token
and then fire off a child daemon that does some actual work.  The parent 
continues to run and occasionally refreshes the token so that it's child 
process can continue to work.  I accomplished this (in the parent) using:

setpag();  /* Set the process group */

then periodically calling

code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
                                  .
                                  .
                                  .

to refresh the token.  Notice the omission of the "KA_USERAUTH_DOSETPAG" flag.


    Now, I am in the process of converting my stuff to use the PAM library 
and I see a potential problem.  In the daemon I described above, it would seem 
that I should use: 

pam_setcred(pamh, PAM_ESTABLISH_CRED)

to establish the token in the parent daemon and then periocically call

pam_setcred(pamh, PAM_REFRESH_CRED)

to refresh the token.  Unfortunately, this does not seem to work.  Looking at
the source for the open version of AFS it appears that both the 
"PAM_ESTABLISH_CRED" and the "PAM_REFRESH_CRED" flag cause 
ka_UserAuthenticateGeneral() to be called with "KA_USERAUTH_DOSETPAG". The 
downside to this (in my case anyway) is that when the parent daemon refreshes 
the token, he does so in a new PAG, which means that the child token does not 
get refreshed and eventually goes away leaving the child unable to do its work.

How can I get around this problem? 

Thanks in advance,
Mike 

     


-------------------------------------
Mike Mosley  
Systems Software Developer 
College of Engineering, UNC-Charlotte