[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1

Hash: SHA1

Russ Allbery wrote:
| Matthew Andrews <matt@slackers.net> writes:
|> Hmmm.... The cascading credentials code sounds interesting, but raises
|> the practical question of how does one deal with derived credentials.
|> For example some sites configure the pam_session code to use delegated
|> krb5 credentials to acquire additional credentials such as afs tokens,
|> or x509 certificates. Since there would be no new session created, these
|> derived credentials would not get refreshed.
| Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the same as
| what a screensaver would do.  This does all the right things with derived
| credentials if your PAM modules are properly written.
|> I think you'd need some way to hook site specific actions into the
|> refresh activity, and of course that raises the hairy problem whether
|> this refresh activity occurs in the same process, or one of it's
|> descendants where the pam_session was established.
| You do have to run pam_session in the right place, yes.

ah, yes I forgot about PAM_REFRESH_CREDS. thanks, that makes sense.

- -Matt Andrews
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org