Logging on with cached ticket
Nikolay Shopik
shopik at inblock.ru
Fri Jun 5 11:34:28 EDT 2009
On 05.06.2009 19:29, Russ Allbery wrote:
> Nikolay Shopik<shopik at inblock.ru> writes:
>> On 05.06.2009 18:36, Russ Allbery wrote:
>>> Nikolay Shopik<shopik at inblock.ru> writes:
>
>>>> Only thing I found is pam_krb5 which have existing_ticket
>>>> option. (tells pam_krb5.so to accept the presence of pre-existing
>>>> Kerberos credentials provided by the calling application in the
>>>> default credential cache as sufficient to authenticate the user, and
>>>> to skip any account management checks). While this available only in
>>>> Red Hat from what I see but not in Debian/Ubuntu.
>
>>> I could add it easily enough. I just never understood the use case.
>>> Could you explain more about how you end up in this situation? Where
>>> is the ticket coming from that's being used for authentication?
>
>> Option "existing_ticket" not available on Debian libpam-krb5
>> package. I'm sorry which situation exactly?
>
> Why would you ever want that option? What's the point of it?
No point for me now. I was searching for way to use cached tickets.
>> Well ticket is coming from KDC when it was available and can be used
>> until it expired, from my understanding.
>
> Sure, but how come you're running through a PAM stack that cares about
> your existing ticket when you still have a ticket available? There's
> probably some obvious case where this happens; I just don't know what it
> is.
pam_ccreds is do thingy for me, cache KDC credentials so user can logon
into machine even when KDC not available.
More information about the Kerberos
mailing list