[OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11
Thimo Neubauer
thimo@macht.org
Thu, 14 Apr 2005 16:07:33 +0200
On Thu, Apr 14, 2005 at 03:47:21PM +0200, Ian Delahorne wrote:
> Thimo Neubauer wrote:
> >On Thu, Apr 14, 2005 at 03:05:29PM +0200, Simon Lyngshede wrote:
> >
> >>The "KerberosTgtPassing yes" won't work on Sarge, as the Debian
> >>package doesn't support that, so you'll need to compile OpenSSH
> >>yourself.
> >
> >
> >... or install "ssh-krb5" ;-) Then you can forward your
> >Kerberos-tickets either by using -K or setting
> >"GSSAPIDelegateCredentials yes" which is unfortunately undocumented
> >(see http://bugs.debian.org/144291).
> >
>
> GSSAPIDelegateCredentials gives you a new KRB5CC for each ssh login, so
> it's not really useable.
What's not useable about that? It correctly sets KRB5CCNAME which
aklog can then use. Each ssh login gets a seperate PAG anyway, so why
not have seperate KRB5CCs? This way, at least cleaning up the tokens
on logout is clearly defined.
Cheers
Thimo