Bug#403192: libpam-krb5: retain_after_close option ignored when SSH using gssapi
Dist:Etch (4.0) Package: libpam-krb5 Version: 2.6-1 When logging into a system using SSH and authenticating via gssapi-with-mic, the retain_after_close option to libpam-krb5 is ignored and the ticket cache is destroyed upon logout. However, when logging into a system using SSH and standard password authentication, the retain_after_close option works as expected and the ticket cache is not destroyed upon logout. Since the retain_after_close is essential when submitting long-running jobs (i.e. nohup ./job ), its rather problematic that this does not work with gssapi logins. This message and attachments are subject to a disclaimer. Please refer to www.it.up.ac.za/documentation/governance/disclaimer/ for full details. / Hierdie boodskap en aanhangsels is aan 'n vrywaringsklousule onderhewig. Volledige besonderhede is by www.it.up.ac.za/documentation/governance/disclaimer/ beskikbaar. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403192: libpam-krb5: retain_after_close option ignored when SSH using gssapi
Hans Grobler [EMAIL PROTECTED] writes: Dist:Etch (4.0) Package: libpam-krb5 Version: 2.6-1 When logging into a system using SSH and authenticating via gssapi-with-mic, the retain_after_close option to libpam-krb5 is ignored and the ticket cache is destroyed upon logout. With gssapi-with-mic, PAM doesn't obtain the tickets and therefore also doesn't attempt to destroy them. sshd itself is responsible for both. My guess is that you're looking for the sshd_config option: GSSAPICleanupCredentials no The default is yes. Could you try setting this in your sshd_config and see if it resolves your issue? -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403192: libpam-krb5: retain_after_close option ignored when SSH using gssapi
On Fri, 2006-12-15 at 08:53 -0800, Russ Allbery wrote: With gssapi-with-mic, PAM doesn't obtain the tickets and therefore also doesn't attempt to destroy them. sshd itself is responsible for both. My guess is that you're looking for the sshd_config option: GSSAPICleanupCredentials no The default is yes. Could you try setting this in your sshd_config and see if it resolves your issue? I have performed the recommended change and confirmed that the GSSAPI obtained credentials are now correctly retained. Russ, thanks for the hint. (FWIW: your pam-afs-session module works correctly in this configuration and now both krb5 and afs credentials are retained). Regards, -- Hans -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]