[OpenAFS-devel] Re: [kerberos-discuss] Solaris 10 SSHD, pam_krb5
and xscreensaver handling of renewed/forwarded ticket
Douglas E. Engert
deengert@anl.gov
Thu, 15 Nov 2007 08:50:37 -0600
Another comment on the inconsistent handling of shared caches.
The screen saver and ssh (if fixed) would only updates the TGT
with a newer TGT.
But kinit -R updates the TGT, AND discards all the other tickets.
So something as simple as (kinit -R ; aklog) could be used to get
a long lasting token after a scree unlock.
So if Sun has applications that are sensitive to not finding a ticket
in a shared cache, you need to look at effects of kinit -R being run
in some other session too.
will young wrote:
> Shawn M Emery wrote:
>> Henry B. Hotz wrote:
>>> On Nov 8, 2007, at 8:30 AM, Douglas E. Engert wrote:
>
>>> 2) Ticket stores should be per-session.
>>>
>>
>> Yes, but I think there should also be a way of acquiring a TGT from
>> outside of the session. For example; processes that are long running
>> or delayed execution could use credentials acquired from another
>> mechanism, such as from password authentication or delegation.
> I haven't looked recently but in general there have not been
> cohesive sessions to tie processes (and kernel actions) to unless
> auditing is enabled.
> -Will
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444