login process pairing

Frank Cusack fcusack at fcusack.com
Wed Jun 4 16:58:51 EDT 2003

On Wed, Jun 04, 2003 at 03:46:46PM -0500, Steve Langasek wrote:
> My problem is that, as an administrator, I don't *want* to have a shared
> ccache between sessions.  I'm rather disappointed that the pam_krb5
> module in Linux-PAM CVS has adopted this as default behavior.  Between
> having stale ccaches from users of legacy POP authentication cluttering
> $TMPDIR indefinitely,

Ahh, well that's a different problem.  Legacy POP auth "using krb5"
is not kerberos.  Just to authenticate, there's no reason to stash
the credential.

> and having credentials yanked out from under me
> in other sessions because I wanted to temporarily acquire creds as
> another principal for admin work in an unrelated session (or by
> autocleaning on logout, depending), I don't see much advantage to
> sharing creds between sessions.

Because I renew creds automatically when accessing krb5 services and
it looks like my cred is close to expiry.  Shared ccache means the
credential for every session is renewed, and when I switch to some
other session that has otherwise been idle forever, I don't suddenly
find that I no longer have a credential.

Perhaps this works correctly with GSSAPI'd ssh and rekeying ... does
the rekey renew the credential on the ssh client and re-forward a
renewed credential?


More information about the krbdev mailing list