Fw: SSO with telnet/rlogin/rsh

Russ Allbery rra at stanford.edu
Tue Jan 15 14:43:32 EST 2008


Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

>> telnetd should include both the UID and the PID in the cache name.
>> This works much more smoothly with rpc.gssd and is what I do in
>> pam-krb5.
>
> In a perfect world, we'd chuck the whole horrid scheme and create some
> utility to send the Kerberos credentials to rpc.gssd or it's equivalant.
> Sigh.

I think AFS uses the correct model.  Credentials are really an attribute
of the user and for the best security should be tracked by the kernel like
any other security attribute of the user (UID, GID, supplemental groups,
capabilities, etc.).  But that gets into really nasty cross-platform
issues, not to mention annoying kernel licensing issues.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list