GSSAPI Key Exchange Patch for OpenSSH 4.7p1

Simon Wilkinson simon at sxw.org.uk
Sat Mar 1 07:06:41 EST 2008


On 1 Mar 2008, at 03:12, Russ Allbery wrote:

> Matthew Andrews <matt at slackers.net> writes:
>
>> Hmmm.... The cascading credentials code sounds interesting, but  
>> raises
>> the practical question of how does one deal with derived credentials.
>>
> Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the  
> same as
> what a screensaver would do.  This does all the right things with  
> derived
> credentials if your PAM modules are properly written.

This is exactly what my cascading credentials code for OpenSSH does.  
It uses an additional PAM stack (so you can set different options  
than the 'main' ssh PAM stack) which it calls the session layer of  
whenever credentials are renewed. We use this to renew both AFS  
tokens, and KX509 certificates.

Informatics are now running this code in production. I expect to be  
making a public release next week.

Cheers,

Simon.




More information about the Kerberos mailing list