Solaris ssh pam_krb

Douglas E. Engert deengert at anl.gov
Wed Mar 29 16:53:33 EST 2006 


Nicolas Williams wrote:

> On Wed, Mar 29, 2006 at 03:24:24PM -0600, Will Fiveash wrote:
> 
>>On Wed, Mar 29, 2006 at 10:02:54AM -0600, Douglas E. Engert wrote:
>>
>>>If you really wanted to get this to work better, add a parameter
>>>on to your pam_krb5 to support this, and have it set the KRB5CCNAME.
>>
>>Suggestion noted. 
> 
> 
> Sure, but not enough -- the kernel-land kgssapi/krb5 code and gssd can't
> use KRB5CCNAME to find a Secure NFS client process' ccache.
> 
> We really need a concept like the AFS PAG...

Can you do anything like what DCE/DFS used to do? In response to a note
on the OpenAFS mailing list commenting on the disjoint use of PAGS and
ticket caches I pointed out DCE had a middle ground approach to keep the
PAGs and ticket caches in sync.


> Henry B. Hotz wrote:
> 
>> 
>> You know the only thing that would *really* satisfy me is if Kerberos  
>> and AFS used the same ticket/token storage mechanism, and that  
>> mechanism had all the properties of PAG's (and there were proper  
>> tools for dealing with the storage).  None of the three camps have  
>> made fundamentally wrong design decisions, but I hate the results.
>> 
> 
> Sounds like what DCE/DFS did. The Kerberos tickets where stored
> in a well known location, with the PAG number as part of the file name.
> /opt/dcelocal/var/security/creds/deccred_xxxxxxxx  where xxxxxxxx was
> the PAG. Then the kernel could tell dced (something
> like afsd) to fetch a ticket from the cache or even get additional tickets
> and renew tickets. This also allowed DFS to use a separate principal
> for each server. This is kind of what Windows does too with cifs/servername
> principals. So it can be done.
> 
> Other applications could use the tickets in the cache by seting the
> KRB5CCNAME to point at the deccred_xxxxxxxx. So "Kerberos and DFS used the
> same ticket/token storage mechanism."
> 
>> I'll shut up now.  I think we've beat this horse to death.
> 
> It may not be dead, just turned out to pasture to early.



-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list