erberos@mit.edu, Olga
Dodin/Haifa/[EMAIL PROTECTED]
Subject
01/15/2008 06:05 Re: Fw: SSO with telnet/rlogin/
On Jan 15, 2008 3:19 PM, Douglas E. Engert <[EMAIL PROTECTED]> wrote:
>
>
> Ken Hornstein wrote:
> >> That is what DCE did. The PAG number was part of the cache name in
> >> a well know location.
> >
> > I don't want the cache in a "well known location". I want to tell the OS
> > or some utility,
>I think AFS uses the correct model. Credentials are really an attribute
>of the user and for the best security should be tracked by the kernel like
>any other security attribute of the user (UID, GID, supplemental groups,
>capabilities, etc.). But that gets into really nasty cross-platform
>issu
Ken Hornstein wrote:
>> That is what DCE did. The PAG number was part of the cache name in
>> a well know location.
>
> I don't want the cache in a "well known location". I want to tell the OS
> or some utility, "Hey, here's my TGT", or perhaps even, "Talk to me on this
> socket/port/door to ge
Ken Hornstein <[EMAIL PROTECTED]> writes:
>> telnetd should include both the UID and the PID in the cache name.
>> This works much more smoothly with rpc.gssd and is what I do in
>> pam-krb5.
>
> In a perfect world, we'd chuck the whole horrid scheme and create some
> utility to send the Kerberos
"Douglas E. Engert" <[EMAIL PROTECTED]> writes:
> OK that works too. But I thought the main problem as stated in the note
> was that the rpc.gssd could not read the environment of the process, and
> thus alway defaulted to using the default ticket cache.
>
> This is the same set if issues I have w
> That is what DCE did. The PAG number was part of the cache name in
>a well know location.
I don't want the cache in a "well known location". I want to tell the OS
or some utility, "Hey, here's my TGT", or perhaps even, "Talk to me on this
socket/port/door to get a ticket for a service".
--Ken
Ken Hornstein wrote:
>> telnetd should include both the UID and the PID in the cache name. This
>> works much more smoothly with rpc.gssd and is what I do in pam-krb5.
>
> In a perfect world, we'd chuck the whole horrid scheme and create some utility
> to send the Kerberos credentials to rpc.gs
Russ Allbery wrote:
> "Douglas E. Engert" <[EMAIL PROTECTED]> writes:
>
>> From a Kerberos prospective both could be correct. Using the process ID
>> as part of the cache name allows for session based credentials, so each
>> telnet session has its own cache.
>
> telnetd should include both the
>telnetd should include both the UID and the PID in the cache name. This
>works much more smoothly with rpc.gssd and is what I do in pam-krb5.
In a perfect world, we'd chuck the whole horrid scheme and create some utility
to send the Kerberos credentials to rpc.gssd or it's equivalant. Sigh.
--
"Douglas E. Engert" <[EMAIL PROTECTED]> writes:
> From a Kerberos prospective both could be correct. Using the process ID
> as part of the cache name allows for session based credentials, so each
> telnet session has its own cache.
telnetd should include both the UID and the PID in the cache name
Levy/Haifa/IBM
> To
> 01/07/2008 kerberos@mit.edu
> 11:08 PM cc
>
>Subject
>
To
> 01/07/2008 kerberos@mit.edu
> 11:08 PM cc
>
Behalf Of Ido Levy
Sent: Tuesday, January 15, 2008 3:53 PM
To: kerberos@mit.edu
Cc: Olga Dodin
Subject: Fw: SSO with telnet/rlogin/rsh
We did a dipper investigation of this issue and found out that the difference
between sshd and telnetd is in the user credential cache file name.
While ssh to
cc
Subject
SS
; just the user principal is presented and not the
NFS principal.
Does anyone successfully set SSO with telnet/rlogin/rsh in a kerberized
NFSv4 environment when using automount.
Thanks,
Ido Levy
Kerberos mailing list Kerberos@mit
16 matches
Mail list logo