[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Kerberos support for screen
Re: [PATCH] Kerberos support for screen
Sat, 26 Feb 2005 15:06:32 -0800
Can this sort-of logic (re: screen keeping one credential cache for
Kerberos) be applied to the situation pertaining to SSH agents? (see my
previous thread on the gnu-screen mailing list for details)
The solution you've proposed sounds, to me, like a good one. I think
we all agree it's not the "responsibility" of screen to solve problems
like these, but there's really no other place it can be solved while
using screen itself. Framework for solving this problem, in my opinion,
is a Good Thing(tm).
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. |
On Sat, Feb 26, 2005 at 09:31:29PM +0100, Fredrik Tolf wrote:
> On Sat, 2005-02-26 at 11:16 -0600, inode0 wrote:
> > On Sat, 26 Feb 2005 17:30:26 +0100, Fredrik Tolf <address@hidden> wrote:
> > > Hi all!
> > >
> > > I was having some trouble with Kerberos and screen, so I wrote this
> > > patch. Not sure if I should send patches to "screen-users", but I
> > > couldn't find any other mailing list. =)
> > I've been dealing with these issues for a long time too but I didn't
> > perceive it to be a problem with screen.
> Well, neither did I. I just perceived that screen would be a good place
> to fix it. It's also a question of semantics to me. In my opinion,
> you're supposed to have one ccache per session, and since screen in
> essence creates a new session, I think the correct semantic is to have
> screen manage a ccache for that session.
> > > Anyway, my basic problems were two:
> > > 1. If one logs in with Kerberos support and thereby gets tickets and
> > > then starts a screen, that screen session will use the same credential
> > > cache. If one then detaches the screen and logs out, the login program
> > > will remove the credential cache, and the processes running in the
> > > detached screen will be ticket-less. Therefore, this patch makes a copy
> > > of the credential cache and ensures that all processes in the screen
> > > session will use it.
> > I put my credential cache in a location where it won't be deleted
> > either by configuring kerberos to do that by default or by setting the
> > appropriate environment variables. That seems to solve this problem
> > for me.
> Yeah, but then you actually have to put your ccache in a different
> location, manually. That's what I wanted to avoid. :)
> IMHO, everything that can be automated should be, so that's what I did.
> > > 2. If I start a screen, detach it and let it lie for some time, the
> > > tickets will expire if I don't manually log in once in a while and renew
> > > them manually. Therefore, this patch renews the tickets when necessary
> > > (it registers an event that runs once per minute and examines if it's
> > > time to renew the tickets, and does so if it deems it good).
> > This one is more philosophical to me. The situations where I'm using
> > screen/kerberos together tend to be on fairly secure machines where
> > I'm comfortable leaving long tickets sitting on the machine. Renewing
> > them is a bit annoying, but doing that once a month hasn't been that
> > annoying to me. Maybe I just haven't quite made the mental adjustment
> > going from krb4 philosophy to krb5 yet?
> Again, I think that everything that can be automated should be, so I
> decided to automate it and make screen renew the tickets. Also, I'm not
> very comfortable with long-lived tickets. Maybe it's just me, but I feel
> much better having tickets that can be renewed for a long time, but that
> expire sooner. My tickets expire after 10 hrs, but are renewable for 10
> Either way, I don't intend to shove the patch down your throat. ;-)
> I just found it useful, and posted it 1) in the hope that someone else
> finds it useful, and 2) it the hope that it might make it into the next
> release of screen, so that I don't have to patch my machines manually
> Fredrik Tolf
> screen-users mailing list