[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Kerberos support for screen
|
From: |
Fredrik Tolf |
|
Subject: |
Re: [PATCH] Kerberos support for screen |
|
Date: |
Sun, 27 Feb 2005 01:01:21 +0100 |
On Sat, 2005-02-26 at 15:15 -0600, inode0 wrote:
> On Sat, 26 Feb 2005 21:31:29 +0100, Fredrik Tolf <address@hidden> wrote:
> > Either way, I don't intend to shove the patch down your throat. ;-)
>
> Oh, I have no objection to your proposed patch. I also don't have any
> say in whether it is accepted. Just trying to share what I've been
> doing to work around the same issues, although my situation may well
> be sufficiently different from others that it isn't useful in general.
I'm sorry if I sounded overly aggressive -- I know that you didn't mean
to object. However, when you said that you "didn't perceive it to be a
problem with screen", you struck at the heart of something I hadn't
really considered -- there _isn't_ really a problem with screen. There's
no obvious reason why screen should have to be extended to cover for
problems with Kerberos, after all.
I guess it's a compromise in one of two directions:
1. Either one agrees with my argument that a screen back-end constitutes
a session in itself and therefore should take care to manage its own
credential cache in a Kerberos-enabled system.
2. One goes with the other argument that my patch is extending screen
with tasks that screen shouldn't have to bother with in the first place,
and argues to fix either Kerberos itself or the system integration with
Kerberos (for example, associating each process with a kernel-level
credential cache would solve this problem as well, and arguable in a
nicer way as well -- you'd get automatic credential cache garbage
collection, automatic renewal and who knows what more)
Now, to be sure: My patch may well not be the best way to go. However,
to my knowledge, it's the only currently implemented way to go. The
latest versions of the Linux kernel have had an option called
CONFIG_KEYS, described as "This option provides support for retaining
authentication tokens and access keys in the kernel...", so maybe
they're rooting for a kernel-level credential cache. If that is so, then
it will probably solve the problem on a better level. Until then,
however, there's little choice to my knowledge.
Of course, I could be completely wrong altogether in my assessment, so
please comment. :-)
I've also committed the patch to the Gentoo Linux and Fedora Core
bugzillas, so I'll see what they have to say about it.
> Best wishes Fredrik. I heartily applaud you for contributing something
> of substance that involves two of my favorite things!
I'm glad that you, too, see Kerberos that way. Many people that I talk
to seem to see Kerberos as some kind of necessary evil, which makes me a
bit sad considering how beautiful it is. :-)
Fredrik Tolf