Darren J Moffat wrote: > Wyllys Ingersoll wrote: >> + ccache_type >> + >> + Contains the credential cache type used by the system. >> Valid values >> + are "file" or "ccapi". If unspecified then the default >> type is "file". >> + Refer to krb5envvar(5) under KRB5CCNAME for a description >> of each type. >> + > > Is this sufficient so that pam_krb5 can be setup to use ccapi ? If so > that is wonderful because I believe that will mean that the > pam_setcred(pamh, PAM_DELETE_CRED) calls that sshd makes could > actually be useful to only delete that ssh sessions krb5 creds.
Yes, but that requires the application to inherit the environment variables of the caller. However, initial login applications need to be leery of inheriting arbitrary environment variables as the associated process could be running with privileges at times. So some refactoring is required to get this to work. Perhaps this warrants a separate case for reintroducing session management, at least for pam_krb5(5). Shawn. --
