login process pairing
Frank Cusack
fcusack at fcusack.com
Wed Jun 4 16:58:51 EDT 2003
On Wed, Jun 04, 2003 at 03:46:46PM -0500, Steve Langasek wrote:
> My problem is that, as an administrator, I don't *want* to have a shared
> ccache between sessions. I'm rather disappointed that the pam_krb5
> module in Linux-PAM CVS has adopted this as default behavior. Between
> having stale ccaches from users of legacy POP authentication cluttering
> $TMPDIR indefinitely,
Ahh, well that's a different problem. Legacy POP auth "using krb5"
is not kerberos. Just to authenticate, there's no reason to stash
the credential.
> and having credentials yanked out from under me
> in other sessions because I wanted to temporarily acquire creds as
> another principal for admin work in an unrelated session (or by
> autocleaning on logout, depending), I don't see much advantage to
> sharing creds between sessions.
Because I renew creds automatically when accessing krb5 services and
it looks like my cred is close to expiry. Shared ccache means the
credential for every session is renewed, and when I switch to some
other session that has otherwise been idle forever, I don't suddenly
find that I no longer have a credential.
Perhaps this works correctly with GSSAPI'd ssh and rekeying ... does
the rekey renew the credential on the ssh client and re-forward a
renewed credential?
/fc
More information about the krbdev
mailing list