[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1

To: Matthew Andrews <matt@slackers.net>
Subject: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
From: Russ Allbery <rra@stanford.edu>
Date: Fri, 29 Feb 2008 19:12:01 -0800
Cc: heimdal-discuss@sics.se, openssh-unix-dev@mindrot.org, kerberos@mit.edu
In-Reply-To: <47C8C55C.4020706@slackers.net> (Matthew Andrews's message of "Fri\, 29 Feb 2008 18\:54\:20 -0800")
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: The Eyrie
References: <0DC5C238-7F48-41F5-A0DB-DEF62E0698D8@inf.ed.ac.uk><46FD7176.3020108@anl.gov> <20070928214023.GP11376@Sun.COM><47C8C55C.4020706@slackers.net>
Reply-To: heimdal-discuss@sics.se, Russ Allbery <rra@stanford.edu>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

Matthew Andrews <matt@slackers.net> writes:

> Hmmm.... The cascading credentials code sounds interesting, but raises
> the practical question of how does one deal with derived credentials.
> For example some sites configure the pam_session code to use delegated
> krb5 credentials to acquire additional credentials such as afs tokens,
> or x509 certificates. Since there would be no new session created, these
> derived credentials would not get refreshed.

Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the same as
what a screensaver would do.  This does all the right things with derived
credentials if your PAM modules are properly written.

> I think you'd need some way to hook site specific actions into the
> refresh activity, and of course that raises the hairy problem whether
> this refresh activity occurs in the same process, or one of it's
> descendants where the pam_session was established.

You do have to run pam_session in the right place, yes.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Follow-Ups:
- Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
  - From: Matthew Andrews <matt@slackers.net>

References:
- Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
  - From: Matthew Andrews <matt@slackers.net>

Prev by Date: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
Next by Date: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
Prev by thread: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
Next by thread: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
Index(es):
- Date
- Thread