Re: transfering files between *.debian.org hosts

To: debian-project@lists.debian.org
Subject: Re: transfering files between *.debian.org hosts
From: Russ Allbery <rra@debian.org>
Date: Mon, 01 Sep 2008 18:17:57 -0700
Message-id: <[🔎] 87iqtfqray.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20080901185704.GA21697@dario.dodds.net> (Steve Langasek's message of "Mon\, 1 Sep 2008 11\:57\:05 -0700")
References: <20080827120031.GA32039@intrepid.palfrader.org> <20080828071223.GC7061@dario.dodds.net> <20080828193141.GK9633@anguilla.noreply.org> <20080830123208.GD9633@anguilla.noreply.org> <20080830131601.GA13250@wavehammer.waldi.eu.org> <20080830154616.GE9633@anguilla.noreply.org> <20080830234330.GB13918@dario.dodds.net> <20080831091945.GI9633@anguilla.noreply.org> <[🔎] 20080901125029.GC3521@country.nixsys.be> <[🔎] 20080901185704.GA21697@dario.dodds.net>

Steve Langasek <vorlon@debian.org> writes:
> On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote:

>> By setting the "GSSAPICleanupCredentials" option in sshd_config, the
>> credentials cache is destroyed upon logout (this can also be done
>> through the session component of libpam_krb5.so).

> ... but pam_krb5.so shouldn't be used for this, since that involves handing
> passwords to the remote server. :)

He means just using the session component, which doesn't do anything with
passwords.  However, the session stack of pam_krb5.so won't remove ticket
caches it didn't create (intentionally), so this doesn't work the way that
one might expect.  The ssh option is the correct approach.

>> I'm not entirely sure whether destroying a credentials cache means the
>> KDC is also instructed to revoke the TGT and cannot check currently,
>> but I believe this is the case.
>
> It does not; that would be unnecessary communication with the KDC.

It's also not something for which a KDC keeps state.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: transfering files between *.debian.org hosts
  - From: Wouter Verhelst <wouter@debian.org>

References:
- Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)
  - From: Wouter Verhelst <wouter@debian.org>
- Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: iceweasel: Kerberos authentication does not work
Next by Date: Re: transfering files between *.debian.org hosts
Previous by thread: Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)
Next by thread: Re: transfering files between *.debian.org hosts
Index(es):
- Date
- Thread