> sshd won't leak this token to the user if your PAM setup is appropriate. > You have to make sure that the user is put into their own PAG as part of > the session initialization process, even if they don't get a token.
I would have thought pam_krb5.so [1] does this by itself, but apparently I
am mistaken (again). While it would be relatively easy to write a small
pam module to handle the creation of a suitable PAG, I must wonder whether
one exists already? Anything that depends on aklog from openafs-krb5 will
not do since it just segfaults (probably the AES keys again, but I did not
test this point).
By the way, is Heimdal's kinit/afslog at fault here for not creating the
proper PAG? It's very convenient to have kinit do all the tricks, but if
it does them wrong...
> Ah! Thank you for saying! I never would have guessed that, and now
> I'll know for the future.
You're welcome.
Cheers,
Juha
[1] The version from :pserver:[EMAIL PROTECTED]:/usr/local/CVS -
it looks like it's the old RedHat pam_krb5.so emerged with the sf.net
version and with still active development unlike any other pam_krb5.so I
can find.
--
-----------------------------------------------
| Juha Jäykkä, [EMAIL PROTECTED] |
| Laboratory of Theoretical Physics |
| Department of Physics, University of Turku |
| home: http://www.utu.fi/~juolja/ |
-----------------------------------------------
pgpaPjWog1fcD.pgp
Description: PGP signature
