On 1 Mar 2008, at 03:12, Russ Allbery wrote:

> Matthew Andrews writes:
>> Hmmm.... The cascading credentials code sounds interesting, but
>> raises
>> the practical question of how does one deal with derived credentials.

> Just re-run the session PAM stack with PAM_REFRESH_CREDS set, the
> same as
> what a screensaver would do. This does all the right things with
> derived
> credentials if your PAM modules are properly written.

This is exactly what my cascading credentials code for OpenSSH does.
It uses an additional PAM stack (so you can set different options
than the 'main' ssh PAM stack) which it calls the session layer of
whenever credentials are renewed. We use this to renew both AFS
tokens, and KX509 certificates.

Informatics are now running this code in production. I expect to be
making a public release next week.