Refreshing SSH forwarded/delegated credentials
Buck Huppmann
buckh at pobox.com
Sat Jun 4 16:07:31 EDT 2005
hello. sorry to cross-post, but i at least left out openssh-unix-dev@
this time around
anybody know if somebody's working on the issue of how to refresh cred-
entials forwarded/delegated to a an SSH session? e.g., if the server
is using RPCSEC_GSS-flavored NFS and your forwarded (krb5) credentials
and those credentials expire, that tends to cripple the remote login
session, no? same sorta thing with AFS, yes? are you just supposed to
use (Heimdal's) kf/kfd facility?
Google produces a few hits that seem to have to do with GSSAPI dele-
gation-refreshing some work of Douglas Engert on the Globus project,
it seems, but they don't seem to lead to any patches or discussion of
implementation. and i guess the IETF Kitten working group hasn't even
standardized a GSSAPI mechanism for adding delegated credentials to a
context, so the question of refreshing those credentials may not even
be on their radar (officially)
please stop reading and point me in the right direction if this is
all leading in the wrong direction
thanks
--buck
still there?
darn
then i guess i'm interested in stimulating implementation^Wdiscussion
about how to do it. lowering the level of abstraction to a meaningful
(for me) instance, for the moment, in the case of forwarded Kerberos
credentials that aren't themselves renewable, one could conceive of
any of the following:
1. a ``subsystem'' to which the connected SSH client could open up
a session on a separate channel to send asynchronous credential
updates for it to stick in the credential cache that the ssh-userauth
exchange set up
2. a. an agent-type function in the SSH server and client so that the
server end would sit on the writing side of a named pipe and hold
the credentials in memory, so that krb5 clients could open the pipe
up like a credentials cache file and the agent function could make
a call back to the client-end agent if it determined the cache
was stale; or,
b. since that's particularly unlikely to work with an implementation
that's expecting a real file it can read and write to (and might
be even more improbably on non-UNIX systems), the agent might al-
ternatively sit around and poll the file cache and take it upon
itself to make a call back to the client end if the cache is
``about to'' expire, and so update the cache asynchronously
in any case, please clue me in. i realize there's a really heady ad-
mixture here of SSH along with Kerberos concerns, but i thought you all
might have the wider view that could maybe be focused on this problem
before i tried to prevail upon the SSH folks to try to figure out how
to implement it, if such be their will, b/c they don't suffer fools as
graciously as you all, i gather
thanks
More information about the Kerberos
mailing list