Date: Tue, 3 Sep 2013 13:37:57 +0400 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Dag-Erling Sm??rgrav <des@des.no> Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH, PAM and kerberos Message-ID: <20130903093756.GG3796@zxy.spb.ru> In-Reply-To: <86y57euu8y.fsf@nine.des.no> References: <86d2ovy64p.fsf@nine.des.no> <20130830100926.GU3796@zxy.spb.ru> <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 03, 2013 at 11:31:09AM +0200, Dag-Erling Sm??rgrav wrote: > Slawa Olhovchenkov <slw@zxy.spb.ru> writes: > > Dag-Erling Sm??rgrav <des@des.no> writes: > > > The proper solution would be an identification and authentication daemon > > > with a well-designed RPC interface and mechanisms for transferring > > > environment variables, descriptors and credentials from the daemon to > > > the application (in this case, sshd). > > I think this is impossible, because credentials for pam_krb5 is simple > > pointer to internal blob's with unknown size, structure and links with > > other elements. > > When I spoke of passing credentials, I meant process credentials, not > the cached Kerberos credentials - which the application does not need > anyway. See SCM_CREDS in recv(2) for further information. And how in this case can be resolved situation with PAM credentials (Kerberos credentials in may case)?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130903093756.GG3796>