Hi,

As a follow-up to yesterday's announcement of the 4.4p2 GSSAPI key
exchange
patch set, I'm now looking for people who'd be interested in testing
some
new, experimental code.

I have had a number of requests from people who've wondered whether
there
is a way of forwarding renewed credentials over SSH links. That is,
if you're
sitting with a login session at a workstation, and renew your
credentials at that
workstation - these renewed credentials are 'magically' transmitted
to any sessions
you have running on remote machines, to which you have already
forwarded credentials.

I have some code implementing this behaviour, that I would be
interested in
getting both testing (on non-production systems) and code review of.

The re-forwarding is implemented in both client and server. The
client watches
for renewal of the tickets in its current cache, where the principal
of the ticket
remains that same as that which established the connection. When
renewal occurs,
it forces a rekey of the SSH connection, using GSSAPI key exchange

When a rekey occurs, the server grabs the credentials delegated as
part of that
operation. Providing that these credentials have the same principal
as those it
originally stored into the user's ccache (and that ccache's ownership
and principal
hasn't changed since being originally created), it overwrites the
ccache with the new
credentials.

The server then does a pam_setcred with the new credentials, which
allows the creation of
AFS tokens, and KX509 certificates, depending on the site-specific
PAM configuration.

Both client and server behaviour is controllable by means of a
configuration option.

If you'd be interested in testing, or reviewing, this code, please
let me know!

Thanks,

Simon.

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos