Steve Langasek <[EMAIL PROTECTED]> writes: > On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote:
>> By setting the "GSSAPICleanupCredentials" option in sshd_config, the >> credentials cache is destroyed upon logout (this can also be done >> through the session component of libpam_krb5.so). > ... but pam_krb5.so shouldn't be used for this, since that involves handing > passwords to the remote server. :) He means just using the session component, which doesn't do anything with passwords. However, the session stack of pam_krb5.so won't remove ticket caches it didn't create (intentionally), so this doesn't work the way that one might expect. The ssh option is the correct approach. >> I'm not entirely sure whether destroying a credentials cache means the >> KDC is also instructed to revoke the TGT and cannot check currently, >> but I believe this is the case. > > It does not; that would be unnecessary communication with the KDC. It's also not something for which a KDC keeps state. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]