[Bug 2775] Improve kerberos credential forwarding support
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Oct 18 03:54:24 AEDT 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--- Comment #6 from Charles Hedrick <hedrick at rutgers.edu> ---
You can make reasonable arguments for how sssd behaves and how this
patch behaves. Generating a new cache for each connection lets you
clean up the connection's cache separately without interfering with
other collections. That approach works as long as no one starts any
processes that continue running after their logout. Since that's pretty
common for us, this doesn't make sense.
Having a single cache which is used by all collections makes sense as
long as you have a separate way of cleaning it up when no one is using
it. We do, and sssd is going to implement it.
But whichever approach you think is better, it doesn't make sense for
your cache management to differ depending upon whether you login with a
password (which involves sssd) or with a Kerberos credential. If you
are ever going to use a password, you can't let sshd cleanup your
credentials, or you're going to pull a cache out from under a different
session. If sshd isn't going to cleanup, then it should reuse a current
credential *with the same principal* if there is one, to avoid a
continuing buildup of caches.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list