[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GSSAPI Key Exchange Patch for OpenSSH 4.7p1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russ Allbery wrote:
| Matthew Andrews <matt@slackers.net> writes:
|
|> Hmmm.... The cascading credentials code sounds interesting, but raises
|> the practical question of how does one deal with derived credentials.
|> For example some sites configure the pam_session code to use delegated
|> krb5 credentials to acquire additional credentials such as afs tokens,
|> or x509 certificates. Since there would be no new session created, these
|> derived credentials would not get refreshed.
|
| Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the same as
| what a screensaver would do. This does all the right things with derived
| credentials if your PAM modules are properly written.
|
|> I think you'd need some way to hook site specific actions into the
|> refresh activity, and of course that raises the hairy problem whether
|> this refresh activity occurs in the same process, or one of it's
|> descendants where the pam_session was established.
|
| You do have to run pam_session in the right place, yes.
|
ah, yes I forgot about PAM_REFRESH_CREDS. thanks, that makes sense.
- -Matt Andrews
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHyPwOpLF3UzlwZVgRAmtFAKDsV5GgRvJb05U5Hy6m/w0n3Lnt/gCg+/7n
JuBsLT/NVUBkUxbtbpvTxkY=
=yGT9
-----END PGP SIGNATURE-----