This is a discussion on OpenSSH renewed credentials forwarding - Kerberos ; Hi, As a follow-up to yesterday's announcement of the 4.4p2 GSSAPI key exchange patch set, I'm now looking for people who'd be interested in testing some new, experimental code. I have had a number of requests from people who've wondered ...
As a follow-up to yesterday's announcement of the 4.4p2 GSSAPI key
patch set, I'm now looking for people who'd be interested in testing
new, experimental code.
I have had a number of requests from people who've wondered whether
is a way of forwarding renewed credentials over SSH links. That is,
sitting with a login session at a workstation, and renew your
credentials at that
workstation - these renewed credentials are 'magically' transmitted
to any sessions
you have running on remote machines, to which you have already
I have some code implementing this behaviour, that I would be
getting both testing (on non-production systems) and code review of.
The re-forwarding is implemented in both client and server. The
for renewal of the tickets in its current cache, where the principal
of the ticket
remains that same as that which established the connection. When
it forces a rekey of the SSH connection, using GSSAPI key exchange
When a rekey occurs, the server grabs the credentials delegated as
part of that
operation. Providing that these credentials have the same principal
as those it
originally stored into the user's ccache (and that ccache's ownership
hasn't changed since being originally created), it overwrites the
ccache with the new
The server then does a pam_setcred with the new credentials, which
allows the creation of
AFS tokens, and KX509 certificates, depending on the site-specific
Both client and server behaviour is controllable by means of a
If you'd be interested in testing, or reviewing, this code, please
let me know!
Kerberos mailing list Kerberos@mit.edu