https://bugzilla.mindrot.org/show_bug.cgi?id=2775
--- Comment #6 from Charles Hedrick <[email protected]> --- You can make reasonable arguments for how sssd behaves and how this patch behaves. Generating a new cache for each connection lets you clean up the connection's cache separately without interfering with other collections. That approach works as long as no one starts any processes that continue running after their logout. Since that's pretty common for us, this doesn't make sense. Having a single cache which is used by all collections makes sense as long as you have a separate way of cleaning it up when no one is using it. We do, and sssd is going to implement it. But whichever approach you think is better, it doesn't make sense for your cache management to differ depending upon whether you login with a password (which involves sssd) or with a Kerberos credential. If you are ever going to use a password, you can't let sshd cleanup your credentials, or you're going to pull a cache out from under a different session. If sshd isn't going to cleanup, then it should reuse a current credential *with the same principal* if there is one, to avoid a continuing buildup of caches. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
