[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1

To: heimdal-discuss@sics.se, Russ Allbery <rra@stanford.edu>
Subject: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
From: Matthew Andrews <matt@slackers.net>
Date: Fri, 29 Feb 2008 22:47:42 -0800
In-Reply-To: <87mypj2l4u.fsf@windlord.stanford.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <0DC5C238-7F48-41F5-A0DB-DEF62E0698D8@inf.ed.ac.uk> <46FD7176.3020108@anl.gov> <20070928214023.GP11376@Sun.COM> <47C8C55C.4020706@slackers.net> <87mypj2l4u.fsf@windlord.stanford.edu>
Reply-To: heimdal-discuss@sics.se, Matthew Andrews <matt@slackers.net>
User-Agent: Thunderbird 2.0.0.5 (X11/20070719)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russ Allbery wrote:
| Matthew Andrews <matt@slackers.net> writes:
|
|> Hmmm.... The cascading credentials code sounds interesting, but raises
|> the practical question of how does one deal with derived credentials.
|> For example some sites configure the pam_session code to use delegated
|> krb5 credentials to acquire additional credentials such as afs tokens,
|> or x509 certificates. Since there would be no new session created, these
|> derived credentials would not get refreshed.
|
| Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the same as
| what a screensaver would do.  This does all the right things with derived
| credentials if your PAM modules are properly written.
|
|> I think you'd need some way to hook site specific actions into the
|> refresh activity, and of course that raises the hairy problem whether
|> this refresh activity occurs in the same process, or one of it's
|> descendants where the pam_session was established.
|
| You do have to run pam_session in the right place, yes.
|

ah, yes I forgot about PAM_REFRESH_CREDS. thanks, that makes sense.

- -Matt Andrews
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHyPwOpLF3UzlwZVgRAmtFAKDsV5GgRvJb05U5Hy6m/w0n3Lnt/gCg+/7n
JuBsLT/NVUBkUxbtbpvTxkY=
=yGT9
-----END PGP SIGNATURE-----

References:
- Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
  - From: Matthew Andrews <matt@slackers.net>
- Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
  - From: Russ Allbery <rra@stanford.edu>

Prev by Date: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
Next by Date: Re: Heimdal 1.1 telnetd broken under Solaris 10
Prev by thread: Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
Next by thread: Re: Heimdal 1.1 telnetd broken under Solaris 10
Index(es):
- Date
- Thread