KEYRING:persistent and ssh
Ken Dreyer
ktdreyer at ktdreyer.com
Mon Apr 13 01:13:21 EDT 2020
On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick <hedrick at rutgers.edu> wrote:
>
> we use a pam module that normalizes the credential cache. If krb5.conf
> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
> into KEYRING and updates KRB5CCNAME.
Is this pam module open-source? It sounds like you've implemented what
Russ described earlier in this thread.
> However there’s a gotcha. Kerberized NFS uses (by default) the
> currently selected principal. So for a collection to be useful, we
> also have a ccselect plugin to make sure that NFS (actually rpc.gssd)
> always gets the right principal from the collection.
I'm interested in this as well, if it's open-source!
- Ken
More information about the Kerberos
mailing list