Keytab-based initiator creds design
Russ Allbery
rra at stanford.edu
Thu Jun 7 19:22:15 EDT 2012
Dmitri Pal <dpal at redhat.com> writes:
> On 06/07/2012 06:55 PM, Russ Allbery wrote:
>> Dmitri Pal <dpal at redhat.com> writes:
>>> We have SSSD for users and will have GSS proxy for automatic ticket
>>> renewal so this is not a problem in a long run.
>> No, you'll still have to deal with renewal on the remote system because
>> the entire world is not running UNIX on the local client. :)
>> Reforwarding tickets from the local host will only work if the local
>> host has that capability, and renewal has a limited lifetime.
> You lost me. What remote system you are talking about?
Systems like sssd will never make the problem go away completely because
people log on to systems remotely (via ssh or however) and then stay
logged on for longer than the maximum ticket renewal lifetime. There
always has to be some way for them to manually refresh their credentials
in that case.
There are lots of different ways of reducing the frequency of that
problem, such as using OpenSSH to redelegate credentials via a GSS-API
rekey when new credentials are obtained on the local system and such as
automatically renewing tickets if they're renewable while users are logged
in. But the problem won't go away completely.
The more I think about it, though, the more I think you're on the right
track with not worrying about per-session ticket caches for the average
user login since you've ensured that the cache doesn't go away until all
sessions have gone away.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list