On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote: > By setting the "GSSAPICleanupCredentials" option in sshd_config, the > credentials cache is destroyed upon logout (this can also be done > through the session component of libpam_krb5.so).
... but pam_krb5.so shouldn't be used for this, since that involves handing passwords to the remote server. :) > I'm not entirely sure whether destroying a credentials cache means the KDC > is also instructed to revoke the TGT and cannot check currently, but I > believe this is the case. It does not; that would be unnecessary communication with the KDC. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]