KEYRING:persistent and ssh

Ken Dreyer ktdreyer at ktdreyer.com
Mon Apr 13 01:13:21 EDT 2020


On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick <hedrick at rutgers.edu> wrote:
>
> we use a pam module that normalizes the credential cache. If krb5.conf
> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
> into KEYRING and updates KRB5CCNAME.

Is this pam module open-source? It sounds like you've implemented what
Russ described earlier in this thread.

> However there’s a gotcha. Kerberized NFS uses (by default) the
> currently selected principal. So for a collection to be useful, we
> also have a ccselect plugin to make sure that NFS (actually rpc.gssd)
> always gets the right principal from the collection.

I'm interested in this as well, if it's open-source!

- Ken



More information about the Kerberos mailing list