Matthew Andrews <[EMAIL PROTECTED]> writes: > Hmmm.... The cascading credentials code sounds interesting, but raises > the practical question of how does one deal with derived credentials. > For example some sites configure the pam_session code to use delegated > krb5 credentials to acquire additional credentials such as afs tokens, > or x509 certificates. Since there would be no new session created, these > derived credentials would not get refreshed.
Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the same as what a screensaver would do. This does all the right things with derived credentials if your PAM modules are properly written. > I think you'd need some way to hook site specific actions into the > refresh activity, and of course that raises the hairy problem whether > this refresh activity occurs in the same process, or one of it's > descendants where the pam_session was established. You do have to run pam_session in the right place, yes. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
