Appreciate your explanations and suggestions.
I was wondering about having krenew process killed automatically when user
logs out if the ccache is cleared.
Regards,
Qing
On 12/10/2013 11:06 PM, Simo Sorce wrote:
On Fri, 2013-10-11 at 12:07 -0400, Qing Chang wrote:
IPA clients (RHEL, CentOS and Unbuntu 12.04) does not clear
credential cache files when a user logout from a ssh session.
pam_sss man page does not have much information on how
it manage to clean out a session when the session is ended.
This is my sshd and session_common file:
===== sshd =====
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
@include common-password
=====
===== common-session =====
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so
use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
=====
Is this a pam configuration issue or a pam_sss issue?
pam_sss knows nothing about caches, as the work of creating them is done
by the sssd daemon, so caches are simply not removed at log out.
This is mostly because, to simplify things, we share the same ccache
with all the sessions from the same user. So it is not always easy to
know whether a ccache can safely be removed w/o disrupting other
sessions, or future cron jobs.
It is a limitation we are aware and live with as it makes the user
experience under other povs much smoother (access to secure nfs shares,
cron jobs, etc ...).
As a workaround, if you really do not trust leaving caches behind, a
simple kdestroy before terminating the session will do what you want.
Simo.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
