Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 445] User DCE Credentials do not get forwarded to child session
bugzilla-daemon at mindrot
May 20, 2003, 6:49 AM
Post #1 of 3 (1417 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=445





------- Additional Comments From simon@sxw.org.uk 2003-05-21 00:49 -------
The existing code only handles the situation where Kerberos
credentials are created by the OpenSSH's krb5 code. What would appear
to be happening under OSF/1 is that one of the calls used to verify
the users login is, as a by-product, creating the credentials cache.

When the child is forked, this environment information is being lost. We
already handle the case for Cygwin where we have to propagate the parents
environment to the child - this is just a special case of that.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 445] User DCE Credentials do not get forwarded to child session [ In reply to ]
bugzilla-daemon at mindrot
May 20, 2003, 7:11 AM
Post #2 of 3 (1382 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=445





------- Additional Comments From kmy@ornl.gov 2003-05-21 01:11 -------
I am no longer running OSF1; although, I may
have to do so in the future. The last comment
on propagating parent's environment to the
child is mostly correct. The call to
sia_ses_init creates a KRB5 ticket which
contains authorization/authentication for
the parent. This ticket information needs
to be propagated to the child.

Actually, this is the proper way to handle
OSF1 SIA; since, the operating system SIA
layer is run-time configurable by design
and you do not really want to pass
the user's password to KRB5 a second time.

This is to say that the file, /etc/sia/matrix.conf
tells the OS about whether or not DCE is a valid
authentication/authorization method. In the event
that DCE is being used, the parent's authorizations
do need to be propagated to the child. However, we
also must deal with the case wherein DCE is no longer
a valid mechanism. In this case, the parent will
not have an authorization to propagate.
--
Ken Matney, Sr.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 445] User DCE Credentials do not get forwarded to child session [ In reply to ]
bugzilla-daemon at mindrot
May 20, 2003, 7:14 AM
Post #3 of 3 (1384 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=445





------- Additional Comments From kmy@ornl.gov 2003-05-21 01:14 -------
Oops! That should have been sia_ses_authent
instead of sia_ses_init. And sia_ses_release
does not destroy the credential (also by design).
--
Ken Matney, Sr.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal