GSSAPI Key Exchange Patch for OpenSSH 4.7p1

Russ Allbery rra at stanford.edu
Fri Feb 29 22:12:01 EST 2008


Matthew Andrews <matt at slackers.net> writes:

> Hmmm.... The cascading credentials code sounds interesting, but raises
> the practical question of how does one deal with derived credentials.
> For example some sites configure the pam_session code to use delegated
> krb5 credentials to acquire additional credentials such as afs tokens,
> or x509 certificates. Since there would be no new session created, these
> derived credentials would not get refreshed.

Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the same as
what a screensaver would do.  This does all the right things with derived
credentials if your PAM modules are properly written.

> I think you'd need some way to hook site specific actions into the
> refresh activity, and of course that raises the hairy problem whether
> this refresh activity occurs in the same process, or one of it's
> descendants where the pam_session was established.

You do have to run pam_session in the right place, yes.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list