>For AFS/NFS there is a kerberized NFS server which does token forwarding to
>the AFS client on the same system, but I think one still has to log in to
>the NFS server to get such tokens (perhaps with the kerberized NFS client,
>this would go away; it's dead slow though).

Hrm...  Well what about approaching it from the other direction; could the
CODA security model replace the Unix/Linux /etc/passwd authentication,
i.e. so a valid CODA login counts as valid authentication on the local
system?  Could this be done using PAM?  (This would require a notion of
multiple CODA sessions from the same user on the same host, but that
shouldn't be too difficult.)  That, combined with the elimination of
this strange 25 hour expiration rule, would be quite a workable system.

BTW what exactly is the justification for the expirations?  It seems to
decrease security (by requiring daemons which store the passwords in
cleartext) rather than increase it.

Pete Gonzalez