[29057] in Kerberos
Re: Fw: SSO with telnet/rlogin/rsh
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Jan 15 14:44:02 2008
To: kerberos@mit.edu
In-Reply-To: <200801151905.m0FJ5sXa012014@ginger.cmf.nrl.navy.mil> (Ken
Hornstein's message of "Tue\, 15 Jan 2008 14\:05\:54 -0500")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 15 Jan 2008 11:43:32 -0800
Message-ID: <87lk6qj2mz.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>> telnetd should include both the UID and the PID in the cache name.
>> This works much more smoothly with rpc.gssd and is what I do in
>> pam-krb5.
>
> In a perfect world, we'd chuck the whole horrid scheme and create some
> utility to send the Kerberos credentials to rpc.gssd or it's equivalant.
> Sigh.
I think AFS uses the correct model. Credentials are really an attribute
of the user and for the best security should be tracked by the kernel like
any other security attribute of the user (UID, GID, supplemental groups,
capabilities, etc.). But that gets into really nasty cross-platform
issues, not to mention annoying kernel licensing issues.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
