Logging on with cached ticket
Russ Allbery
rra at stanford.edu
Fri Jun 5 11:29:59 EDT 2009
Nikolay Shopik <shopik at inblock.ru> writes:
> On 05.06.2009 18:36, Russ Allbery wrote:
>> Nikolay Shopik<shopik at inblock.ru> writes:
>>> Only thing I found is pam_krb5 which have existing_ticket
>>> option. (tells pam_krb5.so to accept the presence of pre-existing
>>> Kerberos credentials provided by the calling application in the
>>> default credential cache as sufficient to authenticate the user, and
>>> to skip any account management checks). While this available only in
>>> Red Hat from what I see but not in Debian/Ubuntu.
>> I could add it easily enough. I just never understood the use case.
>> Could you explain more about how you end up in this situation? Where
>> is the ticket coming from that's being used for authentication?
> Option "existing_ticket" not available on Debian libpam-krb5
> package. I'm sorry which situation exactly?
Why would you ever want that option? What's the point of it?
> Well ticket is coming from KDC when it was available and can be used
> until it expired, from my understanding.
Sure, but how come you're running through a PAM stack that cares about
your existing ticket when you still have a ticket available? There's
probably some obvious case where this happens; I just don't know what it
is.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list