OpenSSH, PAM and kerberos
Dag-Erling Smørgrav
des at des.no
Tue Sep 3 13:24:18 UTC 2013
Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > The application does not need pam_krb5's temporary credential cache. It
> > is only used internally. Single sign-on is implemented by storing your
> > credentials in a *permanent* credential cache (either a file or KCM)
> > which is independent of the PAM session and the application. The
> > location of the permanent credential cache is exported to the
> > application through the KRB5CCNAME environment variable.
> Yes, but content of credential cache got at time pam_authenticate().
Did you read *anything* that I wrote?
The pam_krb5 module obtains your credentials and stores them in a
persistent cache which is *independent* of the module and of the
application that called it. The *only* thing it needs to communicate to
the application is the value of KRB5CCNAME. If this wasn't the case,
pam_krb5 wouldn't work with *any* applications whatsoever, not just
sshd.
> Also, authenticate daemon (in case authenticate daemon call
> pam_setcred) can't be know what need to transfer (chaneged UID? new
> enviroment? deleted enviroment?)
Actually, sshd already does most of this by farming PAM out to a child
process.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list