KEYRING:persistent and ssh
Charles Hedrick
hedrick at rutgers.edu
Mon Apr 13 08:37:32 EDT 2020
yes. https://github.com/clhedrick/kerberos pam_reg_cc.
However this module does additional things, primarily registering cc’s for renewd to renew. If you’re not using renewd, you might want to remove the call to register_for_delete
> On Apr 13, 2020, at 1:13:21 AM, Ken Dreyer <ktdreyer at ktdreyer.com> wrote:
>
> On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick <hedrick at rutgers.edu> wrote:
>>
>> we use a pam module that normalizes the credential cache. If krb5.conf
>> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
>> into KEYRING and updates KRB5CCNAME.
>
> Is this pam module open-source? It sounds like you've implemented what
> Russ described earlier in this thread.
>
>> However there’s a gotcha. Kerberized NFS uses (by default) the
>> currently selected principal. So for a collection to be useful, we
>> also have a ccselect plugin to make sure that NFS (actually rpc.gssd)
>> always gets the right principal from the collection.
>
> I'm interested in this as well, if it's open-source!
>
> - Ken
More information about the Kerberos
mailing list