[38719] in Kerberos
Re: KEYRING:persistent and ssh
daemon@ATHENA.MIT.EDU (Charles Hedrick)
Mon Apr 13 08:40:12 2020
From: Charles Hedrick <hedrick@rutgers.edu>
To: Ken Dreyer <ktdreyer@ktdreyer.com>
Date: Mon, 13 Apr 2020 12:37:32 +0000
Message-ID: <FB169014-FA8B-4464-B65C-EDF5E24E65D9@rutgers.edu>
In-Reply-To: <CAD3FbMWeh4ngCXt6vGJwXcm_dST3sDthszF85ai84QRMqkSFvQ@mail.gmail.com>
Content-Language: en-US
Content-ID: <86FFD0BB666B2B43888614D0CC14DA19@namprd14.prod.outlook.com>
MIME-Version: 1.0
Cc: abdullahrao <abdullah.s.rao@gmail.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
yes. https://github.com/clhedrick/kerberos pam_reg_cc.
However this module does additional things, primarily registering cc’s for renewd to renew. If you’re not using renewd, you might want to remove the call to register_for_delete
> On Apr 13, 2020, at 1:13:21 AM, Ken Dreyer <ktdreyer@ktdreyer.com> wrote:
>
> On Tue, Apr 7, 2020 at 8:39 AM Charles Hedrick <hedrick@rutgers.edu> wrote:
>>
>> we use a pam module that normalizes the credential cache. If krb5.conf
>> asks for KEYRING and sshd leaves the cache in /tmp, the code moves it
>> into KEYRING and updates KRB5CCNAME.
>
> Is this pam module open-source? It sounds like you've implemented what
> Russ described earlier in this thread.
>
>> However there’s a gotcha. Kerberized NFS uses (by default) the
>> currently selected principal. So for a collection to be useful, we
>> also have a ccselect plugin to make sure that NFS (actually rpc.gssd)
>> always gets the right principal from the collection.
>
> I'm interested in this as well, if it's open-source!
>
> - Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
