Victor Sudakov <[EMAIL PROTECTED]> writes: > However, a manual operation could be easily avoided if I could persuade > sshd to store the forwarded credentials always in the same place.
Use a Kerberos v5 PAM session module that reinitializes the ticket cache and supports configuring the ticket cache location. There's one in Debian, for example, and while I've not tested this specifically, I'm fairly sure that it will move the ticket cache for you, or at least could be convinced to do so with a bit of hacking. I feel your pain; this is functionality that we're actually going to lose at Stanford when going from K4 to K5. Currently, we use a client/server system called kftgt to forward K4 tickets and it always writes the ticket cache to a predictable location on the remote system. So I can just reinit my cache on my local system and then kftgt my tickets to all my other logins. However, this has nasty security problems and we're dumping it as we move to K5. A good way of forwarding tickets inside a regular authentication and using them to refresh a remote ticket cache would be very nice. I was planning on looking at exactly the approach I describe above to do this eventually, but won't have time for a while. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
