[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: transfering files between *.debian.org hosts

Steve Langasek <vorlon@debian.org> writes:
> On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote:

>> By setting the "GSSAPICleanupCredentials" option in sshd_config, the
>> credentials cache is destroyed upon logout (this can also be done
>> through the session component of libpam_krb5.so).

> ... but pam_krb5.so shouldn't be used for this, since that involves handing
> passwords to the remote server. :)

He means just using the session component, which doesn't do anything with
passwords.  However, the session stack of pam_krb5.so won't remove ticket
caches it didn't create (intentionally), so this doesn't work the way that
one might expect.  The ssh option is the correct approach.

>> I'm not entirely sure whether destroying a credentials cache means the
>> KDC is also instructed to revoke the TGT and cannot check currently,
>> but I believe this is the case.
> It does not; that would be unnecessary communication with the KDC.

It's also not something for which a KDC keeps state.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: