ksession(TC)

ksession -- monitor an existing Kerberos credentials cache

Syntax

ksession [ -c ] [ -w ] [ -t minutes ]

Description

ksession forks and executes a user's default shell program (as specified in /etc/passwd) while monitoring their existing Kerberos credentials cache. When the user ends their shell session, ksession automatically cleans up their credentials (unless -c is specified).

If the -w option is not specified, the user is also warned if their Kerberos credentials have expired or are about to expire.

The file .credscript in the user's home directory, is executed in the following cases:

when credentials are about to expire, ksession executes /bin/sh $HOME/.credscript warn
after credentials have expired, ksession executes /bin/sh $HOME/.credscript expire
if the credentials cache is removed or becomes corrupted, ksession executes /bin/sh $HOME/.credscript error

NOTE: The .credscript file executes every 10 minutes if one of the above conditions is true. You should take this into account when programming the .credscript file.

.credscript only executes if it is owned by the user or by root, and write permission is disabled for group and other. The -w flag does not affect the execution of the .credscript file.

ksession understands the following options:

-c: do not remove the user's Kerberos credentials when the shell session ends.
-w: do not print warning messages when the user's Kerberos credentials expire or are about to expire.
-t minutes: begin printing warning messages minutes before credentials actually expire. Additionally, the .credscript file executes with the warn argument set.

Limitations

You cannot specify a shell other than the default shell defined in /etc/passwd.

Files

/etc/expire.creds: checked for credentials expiration
$HOME/.credscript: optional Bourne shell script executed upon credentials expiration

Standards conformance