[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: transfering files between *.debian.org hosts

On Mon, Sep 01, 2008 at 06:17:57PM -0700, Russ Allbery wrote:
> Steve Langasek <vorlon@debian.org> writes:
> > On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote:
> 
> >> By setting the "GSSAPICleanupCredentials" option in sshd_config, the
> >> credentials cache is destroyed upon logout (this can also be done
> >> through the session component of libpam_krb5.so).
> 
> > ... but pam_krb5.so shouldn't be used for this, since that involves handing
> > passwords to the remote server. :)
> 
> He means just using the session component, which doesn't do anything with
> passwords.

Indeed.

> However, the session stack of pam_krb5.so won't remove ticket caches it
> didn't create (intentionally), so this doesn't work the way that one might
> expect.  The ssh option is the correct approach.

Ah, I didn't know that. Interesting.

> >> I'm not entirely sure whether destroying a credentials cache means the
> >> KDC is also instructed to revoke the TGT and cannot check currently,
> >> but I believe this is the case.
> >
> > It does not; that would be unnecessary communication with the KDC.
> 
> It's also not something for which a KDC keeps state.

Well, like I said, I wasn't sure. Thanks for the clarification.

-- 
<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22
Reply to: