From owner-freebsd-security@FreeBSD.ORG  Tue Sep  3 11:27:04 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id AD681BB4
 for <freebsd-security@FreeBSD.org>; Tue,  3 Sep 2013 11:27:04 +0000 (UTC)
 (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 6E4972B15
 for <freebsd-security@FreeBSD.org>; Tue,  3 Sep 2013 11:27:03 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id 28DE743D2;
 Tue,  3 Sep 2013 11:27:03 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 30408339EA; Tue,  3 Sep 2013 13:27:04 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Slawa Olhovchenkov <slw@zxy.spb.ru>
Subject: Re: OpenSSH, PAM and kerberos
References: <20130830103009.GV3796@zxy.spb.ru> <86sixrwdcv.fsf@nine.des.no>
 <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no>
 <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no>
 <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no>
 <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no>
 <20130903095316.GH3796@zxy.spb.ru>
Date: Tue, 03 Sep 2013 13:27:04 +0200
In-Reply-To: <20130903095316.GH3796@zxy.spb.ru> (Slawa Olhovchenkov's message
 of "Tue, 3 Sep 2013 13:53:16 +0400")
Message-ID: <86li3euovr.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@FreeBSD.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 11:27:04 -0000

Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> > Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> > > And how in this case can be resolved situation with PAM credentials
> > > (Kerberos credentials in may case)?
> > The application does not need them.
> I need them. I need single sign-on, I need enter password only once,
> at login time and use this credentials to login to other host and use
> Kerberosed NFS w/o entering password.

The application does not need pam_krb5's temporary credential cache.  It
is only used internally.  Single sign-on is implemented by storing your
credentials in a *permanent* credential cache (either a file or KCM)
which is independent of the PAM session and the application.  The
location of the permanent credential cache is exported to the
application through the KRB5CCNAME environment variable.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no