login process pairing

[Steve Langasek]

On Wed, Jun 04, 2003 at 12:59:00PM -0700, Frank Cusack wrote:
> On Wed, Jun 04, 2003 at 12:07:22PM -0400, Sam Hartman wrote:
> > >>>>> "Frank" == Frank Cusack <fcusack at fcusack.com> writes:
> > 
> >     Frank> How will you know if it's the last session?  You *could*
> >     Frank> have a per-session ccache, but that's not friendly.  What
> >     Frank> if I open a dozen ssh's and work in a few of them.  I don't
> >     Frank> want to later go back to a different window and find that I
> >     Frank> have to kinit.

> > You have a per-session cache.  That is what we've done for years.

> Sure, but then you can't renew forwarded credentials across all sessions,
> at least not easily.

> Any system where I can trust that I can forward a credential, should
> be trustworthy enough that I can leave a ccache behind.  Ideally, you'd
> remove it, but in practice I think it's difficult to tell when the last
> session has closed.

My problem is that, as an administrator, I don't *want* to have a shared
ccache between sessions.  I'm rather disappointed that the pam_krb5
module in Linux-PAM CVS has adopted this as default behavior.  Between
having stale ccaches from users of legacy POP authentication cluttering
$TMPDIR indefinitely, and having credentials yanked out from under me
in other sessions because I wanted to temporarily acquire creds as
another principal for admin work in an unrelated session (or by
autocleaning on logout, depending), I don't see much advantage to
sharing creds between sessions.

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030604/888931a2/attachment.bin