On Mon, Sep 01, 2008 at 06:17:57PM -0700, Russ Allbery wrote: > Steve Langasek <[EMAIL PROTECTED]> writes: > > On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote: > > >> By setting the "GSSAPICleanupCredentials" option in sshd_config, the > >> credentials cache is destroyed upon logout (this can also be done > >> through the session component of libpam_krb5.so). > > > ... but pam_krb5.so shouldn't be used for this, since that involves handing > > passwords to the remote server. :) > > He means just using the session component, which doesn't do anything with > passwords.
Indeed. > However, the session stack of pam_krb5.so won't remove ticket caches it > didn't create (intentionally), so this doesn't work the way that one might > expect. The ssh option is the correct approach. Ah, I didn't know that. Interesting. > >> I'm not entirely sure whether destroying a credentials cache means the > >> KDC is also instructed to revoke the TGT and cannot check currently, > >> but I believe this is the case. > > > > It does not; that would be unnecessary communication with the KDC. > > It's also not something for which a KDC keeps state. Well, like I said, I wasn't sure. Thanks for the clarification. -- <Lo-lan-do> Home is where you have to wash the dishes. -- #debian-devel, Freenode, 2004-09-22 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
