sshd deletes the GSSAPI ticket on exit
Darren Tucker
dtucker at zip.com.au
Wed Jun 29 19:18:08 EST 2005
Senthil Kumar wrote:
[...]
> 2. Now user U1 logs in via SSH into this machine, this time with a
> PublicKey. This will cause sshd to skip pam_authenticate(), and therefore
> also skip the pam_setcred() call. As a result, the KRB5CCNAME variable will
> remain unset. No harm so far.
I think what's happening here is that pam_setcred *is* being called, but
since there's no kerberos ticket (because of the pubkey auth) no
credential cache is created.
Sounds like the underlying problem is that you PAM module is zapping
credential caches that it didn't create. I don't see how sshd can work
around this without breaking something else.
Standard disclaimer: I don't use Kerberos...
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list