[OpenAFS-devel] Re: [kerberos-discuss] Solaris 10 SSHD,
pam_krb5 and xscreensaver handling of renewed/forwarded ticket
Shawn M Emery
Shawn.Emery@Sun.COM
Tue, 13 Nov 2007 20:57:45 -0700
Henry B. Hotz wrote:
> On Nov 8, 2007, at 8:30 AM, Douglas E. Engert wrote:
>
>
>> Thanks for the response, and so some of my comments below.
>>
>
> I'll second Doug's concerns:
>
> 1) Should save the new tgt even if the old one isn't expired. I
> expect ancillary service tickets to be erased and for applications
> that need them to be smart enough to reacquire them if needed. (AFS
> usually isn't, but it has a separate credential store so it's service
> ticket usually isn't erased either. Wish it did auto-acquire, but
> that's another subject.)
>
I'll review the applications (at least w/in the Solaris OE) to see if
they are not impacted negatively from this. Can you think of any other
3rd party applications that would be? If the list is long then it would
be preferred to preserve the old behavior and to allow the new.
> 2) Ticket stores should be per-session.
>
Yes, but I think there should also be a way of acquiring a TGT from
outside of the session. For example; processes that are long running or
delayed execution could use credentials acquired from another mechanism,
such as from password authentication or delegation.
Shawn.
--