KRB5CCNAME and sshd
Russ Allbery
rra at stanford.edu
Sat Jan 28 23:48:31 EST 2006
Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> writes:
> However, a manual operation could be easily avoided if I could persuade
> sshd to store the forwarded credentials always in the same place.
Use a Kerberos v5 PAM session module that reinitializes the ticket cache
and supports configuring the ticket cache location. There's one in
Debian, for example, and while I've not tested this specifically, I'm
fairly sure that it will move the ticket cache for you, or at least could
be convinced to do so with a bit of hacking.
I feel your pain; this is functionality that we're actually going to lose
at Stanford when going from K4 to K5. Currently, we use a client/server
system called kftgt to forward K4 tickets and it always writes the ticket
cache to a predictable location on the remote system. So I can just
reinit my cache on my local system and then kftgt my tickets to all my
other logins. However, this has nasty security problems and we're dumping
it as we move to K5. A good way of forwarding tickets inside a regular
authentication and using them to refresh a remote ticket cache would be
very nice. I was planning on looking at exactly the approach I describe
above to do this eventually, but won't have time for a while.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list