[38718] in Kerberos
Re: KEYRING:persistent and ssh
daemon@ATHENA.MIT.EDU (Ken Dreyer)
Mon Apr 13 01:16:21 2020
MIME-Version: 1.0
In-Reply-To: <487A90D2-1E48-4052-845F-E6B7D6DBDA1A@cs.rutgers.edu>
From: Ken Dreyer <ktdreyer@ktdreyer.com>
Date: Sun, 12 Apr 2020 23:13:21 -0600
Message-ID: <CAD3FbMWeh4ngCXt6vGJwXcm_dST3sDthszF85ai84QRMqkSFvQ@mail.gmail.com>
To: Charles Hedrick <hedrick@rutgers.edu>
Cc: abdullahrao <abdullah.s.rao@gmail.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick <hedrick@rutgers.edu> wrote:
>
> we use a pam module that normalizes the credential cache. If krb5.conf
> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
> into KEYRING and updates KRB5CCNAME.
Is this pam module open-source? It sounds like you've implemented what
Russ described earlier in this thread.
> However there’s a gotcha. Kerberized NFS uses (by default) the
> currently selected principal. So for a collection to be useful, we
> also have a ccselect plugin to make sure that NFS (actually rpc.gssd)
> always gets the right principal from the collection.
I'm interested in this as well, if it's open-source!
- Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
