OpenSSH renewed credentials forwarding

Simon Wilkinson simon at
Wed Oct 4 17:30:00 EDT 2006


As a follow-up to yesterday's announcement of the 4.4p2 GSSAPI key  
patch set, I'm now looking for people who'd be interested in testing  
new, experimental code.

I have had a number of requests from people who've wondered whether  
is a way of forwarding renewed credentials over SSH links. That is,  
if you're
sitting with a login session at a workstation, and renew your  
credentials at that
workstation - these renewed credentials are 'magically' transmitted  
to any sessions
you have running on remote machines, to which you have already  
forwarded credentials.

I have some code implementing this behaviour, that I would be  
interested in
getting both testing (on non-production systems) and code review of.

The re-forwarding is implemented in both client and server. The  
client watches
for renewal of the tickets in its current cache, where the principal  
of the ticket
remains that same as that which established the connection. When  
renewal occurs,
it forces a rekey of the SSH connection, using GSSAPI key exchange

When a rekey occurs, the server grabs the credentials delegated as  
part of that
operation. Providing that these credentials have the same principal  
as those it
originally stored into the user's ccache (and that ccache's ownership  
and principal
hasn't changed since being originally created), it overwrites the  
ccache with the new

The server then does a pam_setcred with the new credentials, which  
allows the creation of
AFS tokens, and KX509 certificates, depending on the site-specific  
PAM configuration.

Both client and server behaviour is controllable by means of a  
configuration option.

If you'd be interested in testing, or reviewing, this code, please  
let me know!



More information about the Kerberos mailing list