On 3/21/16, 8:55 PM, John Devitofranceschi wrote: >In an environment where users use smart cards to authenticate on Windows >and then use ssh to login to UNIX systems via GSSAPI, it is nigh >impossible to renew/refresh the Kerberos credentials in the UNIX session. >If the user fails to renew their credentials before they expire, the user >is stuck and must log out and log back in to get valid tickets. > >Meanwhile it is entirely likely that on the Windows desktop where they >ssh'd from, fresh credentials have been served up constantly (when >unlocking the screen, for example). > >Might it be possible to modify OpenSSH to configure the client to >automatically forward fresh Kerberos credentials to the target session >(assuming the sshd on the target has been modified to accept such >updates)? Or is this a change that the current implementation just >couldn¹t allow? Does the Cascading Credentials capability in Simon Wilkinson's OpenSSH Kerberos/GSSAPI patch (http://www.sxw.org.uk/computing/patches/openssh) provide the desired functionality? -Jim _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev