URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication
Gundersanne commented: """ Hai, So cockpit's perspective to this patch as I understand it: Cockpit would build an s4u ccache using gssapi. This means that the ccache we'd use has the target user as the client principal (so not the cockpit principal building the cache). As far as I understand that means calling `krb5_aname_to_localname` in that context would yield the target principal, not the cockpit principal who built the cache. That said we would not have a TGT for that user, the way s4u works means we'd just have tickets for specific services, in this case the sudo service. But I think that should be fine, as in a "normal" scenario you'd just use that TGT to get a ticket for the sudo service. Having this option on by default where that client principal needs to match a local user makes sense to me, as I think that's the scenario cockpit would fall under. Cockpit would ssh into a machine with a host ticket, and then escalate using the sudo service ticket, only for that specific user. So I think this should be fine, and gets an ACK from our side :) """ See the full comment at https://github.com/SSSD/sssd/pull/5367#issuecomment-743232917
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
