Slawa Olhovchenkov <s...@zxy.spb.ru> writes: > Dag-Erling Smørgrav <d...@des.no> writes: > > The application does not need pam_krb5's temporary credential cache. It > > is only used internally. Single sign-on is implemented by storing your > > credentials in a *permanent* credential cache (either a file or KCM) > > which is independent of the PAM session and the application. The > > location of the permanent credential cache is exported to the > > application through the KRB5CCNAME environment variable. > Yes, but content of credential cache got at time pam_authenticate().
Did you read *anything* that I wrote? The pam_krb5 module obtains your credentials and stores them in a persistent cache which is *independent* of the module and of the application that called it. The *only* thing it needs to communicate to the application is the value of KRB5CCNAME. If this wasn't the case, pam_krb5 wouldn't work with *any* applications whatsoever, not just sshd. > Also, authenticate daemon (in case authenticate daemon call > pam_setcred) can't be know what need to transfer (chaneged UID? new > enviroment? deleted enviroment?) Actually, sshd already does most of this by farming PAM out to a child process. DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
