On 09/20/2016 01:42 AM, Rick van Rein wrote:
> This seems to me like a missed opportunity. Am I mad to think that a
> crypto backend could choose any krb5_keydata representation, and that a
> pkcs11: URI [RFC7512] would be fine? It looks like the surrounding
> libkrb5 treats the keys as literals
Hi,
I've looked into the mechanism for configurable crypto backends and in
particular the NSS backend, which is close to PKCS #11.
What I like about PKCS #11 is that it can conceal keys from the libkrb5
library, and thereby from the application's reachable memory. This is
not how the NSS crypto
tseegerkrb writes:
> I think the sshd daemon do not honor the "default_ccache_name" and uses
> the default file format.
I'm pretty sure you're correct if you're doing GSS-API authentication with
ssh. Looking at the source code to sshd, you don't seem to get much
choice in the matter:
# ifdef H
Hello,
i grep for KRB5CCNAME to the etc directory and the only match is in
"/etc/default/slapd" and this is ok and has nothing todo with the login
process. I think the sshd daemon do not honor the "default_ccache_name"
and uses the default file format. I use pam_sss instead of pam_krb5. If
i g