On Thursday 26 Sep 2013 08:17:44 Stephen Gallagher wrote:
[...]
>>> It's some of our users/admins/dbas, etc who log on
to servers
>>> and run jobs that may take e.g. 2 days.
>>
>> Would it help your use case to request renewable tickets and then
>> use SSSD's renewing as per krb5_renew_interval and
>> krb5_renewable_lifetime ?
>
> That is already what I do. However SSSD will not watch after
> tickets it hasn't initialised itself - e.g. ones obtained via
> manual kinit, or forwarded via ssh -K. That's why I was looking
> for a way to "tell" SSSD "hey, here's a ccache
/tmp/krb5cc_11111,
> look after it" :)
Well, in terms of forwarded tickets, that would best be handled on the
originating machine. So if you got those creds initially using SSSD on
the client machine and it auto-renewed them there, that *should*
percolate down to the server you're connected to as well, IIRC[1].
Thus there should be no need to have the server managing them at all.
Yes, that would be ideal but I'm afraid it doesn't work like that. I just
verified this twice to be sure :)
It looks like it will someday work like that when using gss-proxy (if/when it
implements credentials access forwarding).
As for kinit, the obvious question is "Why?". What's
the use case for
using kinit instead of logging in via SSSD or forwarding the tickets
with SSH? I'd like to understand the user experience before discussing
code changes.
Yeah, I was asking that question too, and narrowed it down to two cases.
The major one is ppl logging in via SSH PKI (with keys). Switching to
password auth not so good as then you get a password prompt for each session.
Switching to GSSAPI not always feasible, e.g. a bunch of users are
Windows+cygwin, where, I'm not sure if this can even be done, etc.
The other case is `sudo -u` , but this is minor and could just use su for that
case.
In general though, it would just be a more seamless experience, if SSSD could
manage your credentials however they were acquired.
**********************************************************************************************
The information in this email is confidential and may be legally privileged. It is
intended solely for the addressee and access to the email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail are subject
to the terms and conditions expressed in the governing client engagement leter or
contract.
If you have received this email in error please notify support(a)henderson-group.com
John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************