[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Kerberos support for screen

From: inode0
Subject: Re: [PATCH] Kerberos support for screen
Date: Sat, 26 Feb 2005 15:15:42 -0600

On Sat, 26 Feb 2005 21:31:29 +0100, Fredrik Tolf <address@hidden> wrote:
> On Sat, 2005-02-26 at 11:16 -0600, inode0 wrote:
> >
> > I put my credential cache in a location where it won't be deleted
> > either by configuring kerberos to do that by default or by setting the
> > appropriate environment variables. That seems to solve this problem
> > for me.
> Yeah, but then you actually have to put your ccache in a different
> location, manually. That's what I wanted to avoid. :)
> IMHO, everything that can be automated should be, so that's what I did.

On machines where I am the sole user, I build kerberos to use a
non-standard default location and don't run kdestroy at logout.
Otherwise, I set KRB5CCNAME and KRBTKFILE during login. I don't do
anything manually during the normal course of events.

I agree though that is not well suited to all situations. I just
offered it as the way I went about getting around this problem. I
didn't mean that it was a better way, just another way.

> > This one is more philosophical to me. The situations where I'm using
> > screen/kerberos together tend to be on fairly secure machines where
> > I'm comfortable leaving long tickets sitting on the machine. Renewing
> > them is a bit annoying, but doing that once a month hasn't been that
> > annoying to me. Maybe I just haven't quite made the mental adjustment
> > going from krb4 philosophy to krb5 yet?
> Again, I think that everything that can be automated should be, so I
> decided to automate it and make screen renew the tickets. Also, I'm not
> very comfortable with long-lived tickets. Maybe it's just me, but I feel
> much better having tickets that can be renewed for a long time, but that
> expire sooner. My tickets expire after 10 hrs, but are renewable for 10
> days.

I certainly share your discomfort with long tickets in many
circumstances. I am comfortable with them on machines that aren't
public and that I'm logged into constantly anyway. And those are the
machines I typically leave screen sessions hanging around on. This, I
think, may be the spot where I just haven't gotten used to the idea of
renewable tickets yet. That may well be a better way to go.

> Either way, I don't intend to shove the patch down your throat. ;-)

Oh, I have no objection to your proposed patch. I also don't have any
say in whether it is accepted. Just trying to share what I've been
doing to work around the same issues, although my situation may well
be sufficiently different from others that it isn't useful in general.

Best wishes Fredrik. I heartily applaud you for contributing something
of substance that involves two of my favorite things!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]