Hi, As a follow-up to yesterday's announcement of the 4.4p2 GSSAPI key exchange patch set, I'm now looking for people who'd be interested in testing some new, experimental code.
I have had a number of requests from people who've wondered whether there is a way of forwarding renewed credentials over SSH links. That is, if you're sitting with a login session at a workstation, and renew your credentials at that workstation - these renewed credentials are 'magically' transmitted to any sessions you have running on remote machines, to which you have already forwarded credentials. I have some code implementing this behaviour, that I would be interested in getting both testing (on non-production systems) and code review of. The re-forwarding is implemented in both client and server. The client watches for renewal of the tickets in its current cache, where the principal of the ticket remains that same as that which established the connection. When renewal occurs, it forces a rekey of the SSH connection, using GSSAPI key exchange When a rekey occurs, the server grabs the credentials delegated as part of that operation. Providing that these credentials have the same principal as those it originally stored into the user's ccache (and that ccache's ownership and principal hasn't changed since being originally created), it overwrites the ccache with the new credentials. The server then does a pam_setcred with the new credentials, which allows the creation of AFS tokens, and KX509 certificates, depending on the site-specific PAM configuration. Both client and server behaviour is controllable by means of a configuration option. If you'd be interested in testing, or reviewing, this code, please let me know! Thanks, Simon. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
