> : PAM has other problems though as a consequence. You'll find, for
 > : instance, that the process that opens the PAM session has to stick
 > : around to close it, because otherwise the shared library data segments
 > : holding the state go away. This interacts badly with, say, init/getty/
 > : login. In RedHat 4.0 login forked your shell instead of execing it;
 > : needless to say this broke a lot of stuff... 
 > 
 > Ah, auth state.
 > 
 > Crash recovery dictates that we should be able to deal with a process going
 > away for whatever reason, including an exec()'d shell.

well, right. So what do you do to cause, say, kerberos ticket cleanup?
Leave notes someplace for init or telnetd or whoever's going to clean
up the session? I suppose that's possible but it seems awfully messy.

One of the things that annoyed me about Linux PAM (and they may have
fixed it, but I have my doubts) is that it put PAM session management
in places other than the corresponding stuff for the existing session
management code, like utmp manipulation. This bothered me.

-- 
   - David A. Holland             | (please continue to send non-list mail to
     dholland@cs.utoronto.ca      | dholland@hcs.harvard.edu. yes, I moved.)