login process pairing
vorlon at netexpress.net
Wed Jun 4 16:46:46 EDT 2003
On Wed, Jun 04, 2003 at 12:59:00PM -0700, Frank Cusack wrote:
> On Wed, Jun 04, 2003 at 12:07:22PM -0400, Sam Hartman wrote:
> > >>>>> "Frank" == Frank Cusack <fcusack at fcusack.com> writes:
> > Frank> How will you know if it's the last session? You *could*
> > Frank> have a per-session ccache, but that's not friendly. What
> > Frank> if I open a dozen ssh's and work in a few of them. I don't
> > Frank> want to later go back to a different window and find that I
> > Frank> have to kinit.
> > You have a per-session cache. That is what we've done for years.
> Sure, but then you can't renew forwarded credentials across all sessions,
> at least not easily.
> Any system where I can trust that I can forward a credential, should
> be trustworthy enough that I can leave a ccache behind. Ideally, you'd
> remove it, but in practice I think it's difficult to tell when the last
> session has closed.
My problem is that, as an administrator, I don't *want* to have a shared
ccache between sessions. I'm rather disappointed that the pam_krb5
module in Linux-PAM CVS has adopted this as default behavior. Between
having stale ccaches from users of legacy POP authentication cluttering
$TMPDIR indefinitely, and having credentials yanked out from under me
in other sessions because I wanted to temporarily acquire creds as
another principal for admin work in an unrelated session (or by
autocleaning on logout, depending), I don't see much advantage to
sharing creds between sessions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030604/888931a2/attachment.bin
More information about the krbdev